Fortinet black logo

FortiGate-6000 Release Notes

FortiGate-7000F NP7 HPE changes

FortiGate-7000F NP7 HPE changes

The NP7 host protection engine (HPE) has been redesigned to apply DDoS protection according to each NPU host queue. This new design should result in more accurate and reliable protection for different network topologies

Use the following command to configure the NP7 host protection engine (HPE) to apply DDoS protection by limiting the number of packets per second received for various packet types per host queue by each NP7 processor. This rate limiting is applied very efficiently because it is done in hardware by the NP7 processor.

config system npu

config hpe

set all-protocol <packets-per-second>

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

set enable-shaper {disable | enable}

end

Command Description Default
enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable

all-protocol

Maximum packet rate of each host queue for all traffic except high priority traffic. The range is 0 to 40000000 pps. Set to 0 to disable.

400000

tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 1000 to 40000000 pps. 40000

tcpsyn-ack-max

Prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 40000000 pps. TCP SYN_ACK reflection attacks consist of an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

40000

tcpfin-rst-max

Limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 40000000 pps.

40000

tcp-max Limit the maximum number of TCP packets received per second that are not filtered by tcpsyn-max, tcpsyn-ack-max, or tcpfin-rst-max. The range is 1000 to 40000000 pps. 40000
udp-max Limit the maximum number of UDP packets received per second. The range is 1000 to 40000000 pps. 40000
icmp-max Limit the maximum number of ICMP packets received. The range is 1000 to 40000000 pps. 20000
sctp-max Limit the maximum number of SCTP packets received. The range is 1000 to 40000000 pps. 20000
esp-max Limit the maximum number of ESP packets received. The range is 1000 to 40000000 pps. 20000
ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 1000 to 40000000 pps. 20000
ip-others-max Limit the maximum number of other types of IP packets received. Other packet types cannot be set with other HPE options. The range is 1000 to 40000000 pps. 20000
arp-max Limit the maximum number of ARP packets received. The range is 1000 to 40000000 pps. 20000
l2-others-max Limit the maximum number of other layer-2 packets that are not ARP packets. The range is 1000 to 40000000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 20000
high-priority

Set the maximum overflow limit for high priority traffic. The range is 1000 to 40000000 pps.

This overflow is applied to the following types of traffic that are treated as high-priority by the NP7 processor:

  • HA heartbeat
  • LACP/802.3ad
  • OSPF
  • BGP
  • IKE
  • SLBC
  • BFD

This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP7 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP7 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 125000 + 40000 = 165000 pps.

In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See FortiGate-7000F NP7 HPE changes for details.

400000

HPE diagnose command

Use the following command to display HPE configuration and status information. The command displays information for a single NP7 processor, by default NP7_0. You can optionally include the NP ID to display information for one of the other NP7 processors. The following command displays information for NP7_2..

diagnose npu np7 hpe 2

[NP7_2]
Queue  Type         NPU-min   NPU-max   CFG-min(pps) CFG-max(pps) Pkt-credit
0      high-priority39731     39731     40000        40000        0         
0      TCP-syn      39731     39731     40000        40000        0         
0      TCP-synack   39731     39731     40000        40000        0         
0      TCP-finrst   39731     39731     40000        40000        0         
0      TCP          39731     39731     40000        40000        0         
0      UDP          39731     39731     40000        40000        0         
0      ICMP         19865     19865     20000        20000        0         
0      SCTP         19865     19865     20000        20000        0         
0      ESP          19865     19865     20000        20000        0         
0      IP-Frag      19865     19865     20000        20000        0         
0      IP_others    19865     19865     20000        20000        0         
0      ARP          19865     19865     20000        20000        0         
0      l2_others    19865     19865     20000        20000        0         
0      all-protocol 39731     39731     40000        40000        0         
---------------------------------------------------------------------------
HPE HW pkt_credit:11080 , tsref_inv:50000, tsref_gap:32, hpe_refskip:0 , hif->nr_ring:40

Note:
 NPU-min and NPU-max: The register reading of max and min value for each queue in NPU.
 CFG-min(pps): the setting value of hpe configuration in CLI command and
               it is packet per second rate limit for each host rx queue of NPU.
 CFG-max(pps): The value is CFG-min of hpe configuration in CLI command.

Monitoring HPE activity

You can use the following command to generate event log messages when the HPE drops packets:

config monitoring npu-hpe

set status {disable | enable}

set interval <interval>

set multipliers <12*multipliers>

end

status enable or disable HPE status monitoring.

interval HPE status check interval in seconds. The range is 1 to 60 seconds. The default interval is 1 second.

multipliers set 12 multipliers to control how often an even log is generated for each HPE option in the following order:

  1. tcpsyn-max default 4

  2. tcpsyn-ack-max default 4

  3. tcpfin-rst-max default 4

  4. tcp-max default 4

  5. udp-max default 8

  6. icmp-max default 8

  7. sctp-max default 8

  8. esp-max default 8

  9. ip-frag-max default 8

  10. ip-others-max default 8

  11. arp-max default 8

  12. l2-others-max default 8

An event log is generated after every (interval * multiplier) seconds for each HPE option when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.

An attack log is generated after every (4 * multiplier) continuous event logs.

FortiGate-7000F NP7 HPE changes

The NP7 host protection engine (HPE) has been redesigned to apply DDoS protection according to each NPU host queue. This new design should result in more accurate and reliable protection for different network topologies

Use the following command to configure the NP7 host protection engine (HPE) to apply DDoS protection by limiting the number of packets per second received for various packet types per host queue by each NP7 processor. This rate limiting is applied very efficiently because it is done in hardware by the NP7 processor.

config system npu

config hpe

set all-protocol <packets-per-second>

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

set enable-shaper {disable | enable}

end

Command Description Default
enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable

all-protocol

Maximum packet rate of each host queue for all traffic except high priority traffic. The range is 0 to 40000000 pps. Set to 0 to disable.

400000

tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 1000 to 40000000 pps. 40000

tcpsyn-ack-max

Prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 40000000 pps. TCP SYN_ACK reflection attacks consist of an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

40000

tcpfin-rst-max

Limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 40000000 pps.

40000

tcp-max Limit the maximum number of TCP packets received per second that are not filtered by tcpsyn-max, tcpsyn-ack-max, or tcpfin-rst-max. The range is 1000 to 40000000 pps. 40000
udp-max Limit the maximum number of UDP packets received per second. The range is 1000 to 40000000 pps. 40000
icmp-max Limit the maximum number of ICMP packets received. The range is 1000 to 40000000 pps. 20000
sctp-max Limit the maximum number of SCTP packets received. The range is 1000 to 40000000 pps. 20000
esp-max Limit the maximum number of ESP packets received. The range is 1000 to 40000000 pps. 20000
ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 1000 to 40000000 pps. 20000
ip-others-max Limit the maximum number of other types of IP packets received. Other packet types cannot be set with other HPE options. The range is 1000 to 40000000 pps. 20000
arp-max Limit the maximum number of ARP packets received. The range is 1000 to 40000000 pps. 20000
l2-others-max Limit the maximum number of other layer-2 packets that are not ARP packets. The range is 1000 to 40000000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 20000
high-priority

Set the maximum overflow limit for high priority traffic. The range is 1000 to 40000000 pps.

This overflow is applied to the following types of traffic that are treated as high-priority by the NP7 processor:

  • HA heartbeat
  • LACP/802.3ad
  • OSPF
  • BGP
  • IKE
  • SLBC
  • BFD

This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP7 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP7 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 125000 + 40000 = 165000 pps.

In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See FortiGate-7000F NP7 HPE changes for details.

400000

HPE diagnose command

Use the following command to display HPE configuration and status information. The command displays information for a single NP7 processor, by default NP7_0. You can optionally include the NP ID to display information for one of the other NP7 processors. The following command displays information for NP7_2..

diagnose npu np7 hpe 2

[NP7_2]
Queue  Type         NPU-min   NPU-max   CFG-min(pps) CFG-max(pps) Pkt-credit
0      high-priority39731     39731     40000        40000        0         
0      TCP-syn      39731     39731     40000        40000        0         
0      TCP-synack   39731     39731     40000        40000        0         
0      TCP-finrst   39731     39731     40000        40000        0         
0      TCP          39731     39731     40000        40000        0         
0      UDP          39731     39731     40000        40000        0         
0      ICMP         19865     19865     20000        20000        0         
0      SCTP         19865     19865     20000        20000        0         
0      ESP          19865     19865     20000        20000        0         
0      IP-Frag      19865     19865     20000        20000        0         
0      IP_others    19865     19865     20000        20000        0         
0      ARP          19865     19865     20000        20000        0         
0      l2_others    19865     19865     20000        20000        0         
0      all-protocol 39731     39731     40000        40000        0         
---------------------------------------------------------------------------
HPE HW pkt_credit:11080 , tsref_inv:50000, tsref_gap:32, hpe_refskip:0 , hif->nr_ring:40

Note:
 NPU-min and NPU-max: The register reading of max and min value for each queue in NPU.
 CFG-min(pps): the setting value of hpe configuration in CLI command and
               it is packet per second rate limit for each host rx queue of NPU.
 CFG-max(pps): The value is CFG-min of hpe configuration in CLI command.

Monitoring HPE activity

You can use the following command to generate event log messages when the HPE drops packets:

config monitoring npu-hpe

set status {disable | enable}

set interval <interval>

set multipliers <12*multipliers>

end

status enable or disable HPE status monitoring.

interval HPE status check interval in seconds. The range is 1 to 60 seconds. The default interval is 1 second.

multipliers set 12 multipliers to control how often an even log is generated for each HPE option in the following order:

  1. tcpsyn-max default 4

  2. tcpsyn-ack-max default 4

  3. tcpfin-rst-max default 4

  4. tcp-max default 4

  5. udp-max default 8

  6. icmp-max default 8

  7. sctp-max default 8

  8. esp-max default 8

  9. ip-frag-max default 8

  10. ip-others-max default 8

  11. arp-max default 8

  12. l2-others-max default 8

An event log is generated after every (interval * multiplier) seconds for each HPE option when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.

An attack log is generated after every (4 * multiplier) continuous event logs.