Fortinet white logo
Fortinet white logo

FortiGate-7000 Release Notes

Monitoring FortiGate-6000 and 7000E NP6 HPE activity

Monitoring FortiGate-6000 and 7000E NP6 HPE activity

You can use the following command to generate event log messages when the NP6 HPE blocks packets:

config monitoring npu-hpe

set status {enable | disable}

set interval <integer>

set multiplers <m1>, <m2>, ... <m12>

end

status enable or disable HPE status monitoring.

interval the HPE status check interval, in seconds. The range is 1 to 60 seconds. The default interval is 1 second.

multipliers set 12 multipliers to control how often an event log message is generated for each HPE packet type in the following order:

  • tcpsyn-max default 4

  • tcpsyn-ack-max default 4

  • tcpfin-rst-max default 4

  • tcp-max default 4

  • udp-max default 8

  • icmp-max default 8

  • sctp-max default 8

  • esp-max default 8

  • ip-frag-max default 8

  • ip-others-max default 8

  • arp-max default 8

  • l2-others-max default 8

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.

An attack log is generated after every (4 × multiplier) number of continuous event logs.

Example HPE monitoring configuration

config monitoring npu-hpe

set status enable

set interval 2

set multipliers 3 2 2 2 4 4 4 4 4 4 4 4

end

Monitor HPE activity without dropping packets

If you have enabled monitoring using the config monitoring npu-hpe command, you can use the following command to monitor HPE activity without causing the HPE to drop packets. This can be useful when testing HPE, allowing you to see how many packets the HPE would be dropping without actually affecting traffic.

diagnose npu np6 monitor-hpe {disable | enable} <np6-id>

This command is disabled by default. If you enable it, the HPE will not drop packets, but if monitoring is enabled, will create log messages for packets that would have been dropped.

Since this is a diagnose command, monitoring the HPE without dropping packets will be disabled when the FortiGate restarts.

Sample HPE event log messages

date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp in NP6_0."

date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp in NP6_0."

date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP6 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp in NP6_0."

Monitoring FortiGate-6000 and 7000E NP6 HPE activity

Monitoring FortiGate-6000 and 7000E NP6 HPE activity

You can use the following command to generate event log messages when the NP6 HPE blocks packets:

config monitoring npu-hpe

set status {enable | disable}

set interval <integer>

set multiplers <m1>, <m2>, ... <m12>

end

status enable or disable HPE status monitoring.

interval the HPE status check interval, in seconds. The range is 1 to 60 seconds. The default interval is 1 second.

multipliers set 12 multipliers to control how often an event log message is generated for each HPE packet type in the following order:

  • tcpsyn-max default 4

  • tcpsyn-ack-max default 4

  • tcpfin-rst-max default 4

  • tcp-max default 4

  • udp-max default 8

  • icmp-max default 8

  • sctp-max default 8

  • esp-max default 8

  • ip-frag-max default 8

  • ip-others-max default 8

  • arp-max default 8

  • l2-others-max default 8

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.

An attack log is generated after every (4 × multiplier) number of continuous event logs.

Example HPE monitoring configuration

config monitoring npu-hpe

set status enable

set interval 2

set multipliers 3 2 2 2 4 4 4 4 4 4 4 4

end

Monitor HPE activity without dropping packets

If you have enabled monitoring using the config monitoring npu-hpe command, you can use the following command to monitor HPE activity without causing the HPE to drop packets. This can be useful when testing HPE, allowing you to see how many packets the HPE would be dropping without actually affecting traffic.

diagnose npu np6 monitor-hpe {disable | enable} <np6-id>

This command is disabled by default. If you enable it, the HPE will not drop packets, but if monitoring is enabled, will create log messages for packets that would have been dropped.

Since this is a diagnose command, monitoring the HPE without dropping packets will be disabled when the FortiGate restarts.

Sample HPE event log messages

date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp in NP6_0."

date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp in NP6_0."

date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP6 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp in NP6_0."