Monitoring FortiGate-6000 and 7000E NP6 HPE activity
You can use the following command to generate event log messages when the NP6 HPE blocks packets:
config monitoring npu-hpe
set status {enable | disable}
set interval <integer>
set multiplers <m1>, <m2>, ... <m12>
end
status
enable or disable HPE status monitoring.
interval
the HPE status check interval, in seconds. The range is 1 to 60 seconds. The default interval is 1 second.
multipliers
set 12 multipliers to control how often an event log message is generated for each HPE packet type in the following order:
-
tcpsyn-max
default 4 -
tcpsyn-ack-max
default 4 -
tcpfin-rst-max
default 4 -
tcp-max
default 4 -
udp-max
default 8 -
icmp-max
default 8 -
sctp-max
default 8 -
esp-max
default 8 -
ip-frag-max
default 8 -
ip-others-max
default 8 -
arp-max
default 8 -
l2-others-max
default 8
An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.
An attack log is generated after every (4 × multiplier) number of continuous event logs.
Example HPE monitoring configuration
config monitoring npu-hpe
set status enable
set interval 2
set multipliers 3 2 2 2 4 4 4 4 4 4 4 4
end
Monitor HPE activity without dropping packets
If you have enabled monitoring using the config monitoring npu-hpe
command, you can use the following command to monitor HPE activity without causing the HPE to drop packets. This can be useful when testing HPE, allowing you to see how many packets the HPE would be dropping without actually affecting traffic.
diagnose npu np6 monitor-hpe {disable | enable} <np6-id>
This command is disabled by default. If you enable it, the HPE will not drop packets, but if monitoring is enabled, will create log messages for packets that would have been dropped.
Since this is a diagnose command, monitoring the HPE without dropping packets will be disabled when the FortiGate restarts.
Sample HPE event log messages
date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp in NP6_0."
date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp in NP6_0."
date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP6 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp in NP6_0."