NSE 7 — Enterprise Firewall — Question 22

Which statement about network processor (NP) offloading is true?

Answer options

• A. The NP checks the session key or IPSec SA.
• B. The NP provides IPS signature matching.
• C. You can disable the NP for each firewall policy using the command np-acceleration set to loose.
• D. For TCP traffic, FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP.

Correct answer: A

Explanation

Option A is correct because the network processor is responsible for checking the session key or IPSec Security Association (SA) to manage secure communications. Options B, C, and D are incorrect as they misrepresent the capabilities of the NP; specifically, the NP does not provide IPS signature matching, cannot be disabled for each policy with the mentioned command, and the CPU handles certain TCP traffic stages differently.