Fortinet black logo

FortiGate-7000 Release Notes

Home FortiGate-7000 6.4.6 FortiGate-7000 Release Notes

New FortiGate-6000 and 7000E NP6 HPE options

6.4.6
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.6.6
5.4.9
5.4.5
5.4.3
Copy Link
Copy Doc ID 5c9b4b3d-27b2-11ec-8c53-00505692583a:779256
Download PDF

New FortiGate-6000 and 7000E NP6 HPE options

The NP6 Host Protection Engine (HPE) includes the following new options:

config system np6

edit np6_0

config hpe

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

end

tcpsyn-ack-max prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 1000000000 pps. The default is 600000 pps. TCP SYN_ACK reflection attacks consist of an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

tcpfin-rst-max limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 1000000000 pps. The default is 600000 pps.

Previous
Next

New FortiGate-6000 and 7000E NP6 HPE options

The NP6 Host Protection Engine (HPE) includes the following new options:

config system np6

edit np6_0

config hpe

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

end

tcpsyn-ack-max prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 1000000000 pps. The default is 600000 pps. TCP SYN_ACK reflection attacks consist of an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

tcpfin-rst-max limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 1000000000 pps. The default is 600000 pps.

Previous
Next