In modern network security, speed and scale matter as much as robustness. The volume of traffic, variety of threats, and demand for encrypted content inspection force traditional CPU-based firewalls to compromise: either performance or depth of security. Fortinet’s answer is its family of custom ASICs, particularly the Security Processing Units (SPUs), which are central to the performance of its FortiGate Next-Generation Firewalls (NGFWs). This article dives into what SPUs are, how they work, their advantages, and real-world use cases.
What are SPUs
SPU = Security Processing Unit: a Fortinet custom ASIC (Application-Specific Integrated Circuit) purpose-built to accelerate network security tasks beyond what general-purpose CPUs can efficiently handle.
SPUs consolidate or offload processing for network functions, content inspection, SSL/TLS decryption, VPN, and other threat-protection tasks.
- They come in generations. For example, the SP5 is Fortinet’s fifth generation SPU.
SPUs do not function alone; they cooperate with other ASICs:
Network Processors (NPs) that handle high-volume packet forwarding and network traffic offload.
- Content Processors (CPs) that accelerate content-intensive tasks like signature matching, deep packet inspection, antivirus, SSL decryption, etc.
How SPUs Work (Architecture & Offloads)
Fast Path / Offload
Traffic that meets certain criteria (e.g. non-fragmented, supported encryption, etc.) may be offloaded to NPs or SPUs such that the CPU is not involved in every packet. This reduces CPU load dramatically.
Integrated functions on chip
SP5, for example, consolidates network and content processing: firewall (Layer 7), application identification, overlay network traffic routing, threat protection, etc.
VPN / IPsec acceleration
Hardware support in SPUs / NPs helps encryption / decryption, IPsec session handling, etc., offloading intensive cryptographic operations from the CPU.
- Session handling & high concurrency
- SPUs enable high numbers of concurrent sessions, fast session setup/teardown (important for many connections, e.g. mobile or IoT scenarios), and strong SSL inspection performance.
Key Metrics & Advantages
Fortinet publishes a measure called Security Compute Rating to compare SPU-equipped NGFWs versus competitive products using general CPU architectures. Metrics in this rating include throughput (firewall, VPN), concurrent sessions, sessions per second, SSL inspection, threat protection.
Some example numbers (from SP5) vs typical competitors:
| SP5 Performance | Approximate Multiplier Over CPUs / Competitors* | |
| ~34 Gbps | ~8× | |
| ~30 Gbps | ~4× | |
| ~4.3 Gbps | ~9× | |
SSL inspection | ~3.3 Gbps |
*Relative performance depends on configuration, traffic type, SSL usage, etc.
Other advantages:
Power efficiency / space reduction: ASICs perform specific tasks more efficiently than general CPUs, consuming less power and producing lower latency.
Consistent performance under load: ASICs avoid CPU bottlenecks, especially when threat protection, SSL inspections, etc. are enabled.
- Scalability: For environments that need thousands of IPsec tunnels, many concurrent sessions, etc., SPU-based appliances maintain performance. For example, Fortinet’s SecGW solution can support up to 200,000 VPN tunnels in some configurations.
Use Cases
Mobile networks / Carrier-grade gateways (SecGW): High connection setup rates, very high number of tunnels, high throughput. ASIC acceleration is essential to meet SLAs.
Data centers / Hyperscale environments: Large traffic volumes, many sessions, large scale threat inspection, etc. SPUs + NPs optimize cost per throughput and reduce CPU load.
- TLS / SSL-heavy traffic: Because SPUs can offload cryptographic, decryption, and inspection workloads, they help maintain performance even when much of traffic is encrypted.
Impact: Return on Investment & Operational Benefits
Lower Total Cost of Ownership (TCO): Less CPU hardware, lower power consumption, lower cooling, fewer required firewall devices for given throughput.
Reduced latency and better user experience: Especially when inspecting SSL/TLS or handling large numbers of concurrent sessions, ASIC offload reduces delays.
Security without compromise: You can enable more threat inspection, do not have to disable features because of performance penalties.
- Scalability for future growth: As traffic + security demands increase (e.g. more encrypted traffic, IoT endpoints), SPUs provide capacity to handle growth without massive hardware upgrades.
Recent Innovations
SP5: fifth generation SPU, integrating both network and content processing in one chip.
NP7 (Network Processor Gen 7): improves offload for network traffic, IPsec throughput, etc.
CP9 (Content Processor Gen 9): handles heavy content inspection.
Conclusion
Fortinet’s SPUs are a core differentiator in NGFW performance. They enable higher throughput, better SSL/TLS inspection, more sessions, lower CPU load, and greater energy efficiency. For organizations facing increasing encrypted traffic, more complex threat vectors, and scalability demands, choosing SPU-powered appliances can deliver both performance and security without compromise.
References
https://www.fortinet.com/products/fortigate/fortiasic?utm_source=chatgpt.com