New FortiGate-6000 and 7000E NP6 HPE options
The NP6 Host Protection Engine (HPE) includes the following new options:
config system np6
edit np6_0
config hpe
set tcpsyn-max <packets-per-second>
set tcpsyn-ack-max <packets-per-second>
end
tcpsyn-ack-max
prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 1000000000 pps. The default is 600000 pps. TCP SYN_ACK reflection attacks consist of an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.
tcpfin-rst-max
limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 1000000000 pps. The default is 600000 pps.