Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

Configuring NP7 processors

You can use the config system npu command to configure a wide range of settings for each of the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

You can also enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure for an NP7 processor with the config system npu command apply to traffic processed by all interfaces connected to that NP7 processor. This includes the physical interfaces connected to the NP7 processor as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processor.

config system npu

set dedicated-management-cpu {disable | enable}

set ipsec-ob-np-sel {RR | packet | hash}

set fastpath {disable | enable}

set capwap-offload {disable | enable}

set default-qos-type {policing | shaping}

set inbound-dscp-copy {disable | enable}

set per-session-accounting {disable | enable | traffic-log-only}

set session-acct-interval <seconds>

set max-session-timeout <seconds>

set mcast-session-accounting {tpe-based | session-based | disable}

config port-npu-map

edit <interface-name>

set npu-group-index {0 | 1 | 2}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

config hpe

set tcpsyn-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

config priority-protocol

set bgp {disable | enable}

set slbc {disable | enable}

set bfd {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

end

end

dedicated-management-cpu {disable | enable}

Enable dedicating CPU 0 for management tasks. See Dedicated management CPU. Disabled by default.

ipsec-ob-np-sel {RR | packet | hash}

For future use.

fastpath {disable | enable)

Use the following command to enable or disable offloading to NP7 processors:

config system npu

set fastpath {disable | enable}

end

fastpath set to enable (the default) to enable offloading sessions to NP7 processors. Set to disable if you do not want traffic offloaded to NP7 processors.

capwap-offload {disable | enable}

Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions to the NP7 processor. Enabled by default.

default-qos-type {policing | shaping}

Set the QoS type used by the NP7 for traffic shaping. The FortiGate restarts after changing this setting. See NP7 queue-based traffic management.

inbound-dscp-copy {disable | enable}

Disabled by default, you can enable this option to copy the DSCP value from the ESP header to the inner IP Header for incoming packets. This feature can be used in situations where the network is expecting a DSCP value in the inner IP header but the traffic has the DSCP value in the ESP header.

per-session-accounting {disable | enable | traffic-log-only}

Disable NP7 per-session accounting or enable it and control how it works.

Where:

enable enables per-session accounting for all traffic offloaded by the NP7 processor.

disable turns off per-session accounting.

traffic-log-only (the default) turns on NP7 per-session accounting for traffic accepted by firewall policies that have traffic logging enabled.

Enabling per-session accounting can affect NP7 offloading performance.

For more information, see Per-session accounting for offloaded NP7 sessions.

session-acct-interval <seconds>

Change the session accounting update interval. The default is to send an update every 5 seconds. The range is 1 to 10 seconds.

For more information, see Changing the per-session accounting interval.

max-session-timeout <seconds>

Change the maximum time interval for refreshing NPU-offloaded sessions. The default refresh time is 40 seconds. The range is 10 to 1000 seconds.

To free up NP7 memory you can reduce this session timeout so that inactive sessions are removed from the session table more often. However, if your NP7 is processing sessions with long lifetimes, you can increase the max-session-timeout to reduce how often the system checks for and removes inactive sessions,

mcast-session-accounting {tpe-based | session-based | disable}

Use this option to configure multicast session accounting.

Where:

tpe-based (the default) enables TPE-based multicast session accounting.

session-based enables session-based multicast session accounting.

disable disables multicast session accounting.

For more information, see Enabling multicast per-session accounting.

config port-npu-map

Use the following command to configure the NPU port map:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index {0 | 1 | 2}

end

You can use the port map to assign data interfaces to NP7 links.

Each NP7 has two 100-Gigabit KR links, numbered 0 and 1. Traffic passes to the NP7 over these links. By default the two links operate as a LAG that distributes sessions to the NP7 processor. You can configure the NPU port map to assign interfaces to use one or the other of the NP7 links instead of sending sessions over the LAG.

npu-group-index can be:

  • 0, assign the interface to NP#0, the default, the interface is connected to the LAG. Traffic from the interface is distributed to both links.
  • 1, assign the interface to NP#0-link0, to connect the interface to NP7 link 0. Traffic from the interface is set to link 0.
  • 2, assign the interface to NP#0-link1, to connect the interface to NP7 link 1. Traffic from the interface is set to link 1.

For example, use the following syntax to assign the FortiGate-1800F front panel 40Gigabit interfaces 37 and 38 to NPU link0 and interfaces 39 and 40 to NPU link 2. The resulting configuration splits traffic from the 40Gigabit interfaces between the two NP7 links:

config system npu

config port-npu-map

edit port37

set npu-group-index 1

next

edit port38

set npu-group-index 1

next

edit port39

set npu-group-index 2

next

edit port40

set npu-group-index 2

end

end

You can use the diagnose npu np7 port-list command to see the current NPU port map configuration and the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.

config dos-options

Us the following command to configure some NP7 DoS protection settings:

config system npu

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

end

For more information, see DoS policy hardware acceleration.

config hpe

The NP7 host protection engine (HPE) uses NP7 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP7 processors from overloading the FortiGate CPU.

You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds.

The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection.

config system npu

config hpe

set tcpsyn-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

end

Command Description Default
enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable
tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 1000 to 1000000000 pps. 125000
tcp-max Limit the maximum number of non-SYN TCP packets received per second. The range is 1000 to 1000000000 pps. 125000
udp-max Limit the maximum number of UDP packets received per second. The range is 10,000 to 4,000,000,000 pps. 125000
icmp-max Limit the maximum number of ICMP packets received. The range is 1000 to 1000000000 pps. 40000
sctp-max Limit the maximum number of SCTP packets received. The range is 1000 to 1000000000 pps. 40000
esp-max Limit the maximum number of ESP packets received. The range is 1000 to 1000000000 pps. 40000
ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 1000 to 1000000000 pps. 40000
ip-others-max Limit the maximum number of other types of IP packets received. The range is 1000 to 1000000000 pps. 40000
arp-max Limit the maximum number of ARP packets received. The range is 1000 to 1000000000 pps. 40000
l2-others-max Limit the maximum number of other layer-2 packets received. The range is 1000 to 1000000000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 40000

pri-type-max

Set the maximum overflow limit for high priority traffic. The range is 0 to 1000000000 pps.

This overflow is applied to the following types of traffic that are treated as high-priority by the NP7 processor:

  • HA heartbeat
  • LACP/802.3ad
  • OSPF
  • BGP
  • IKE
  • SLBC
  • BFD

This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP7 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP7 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 125000 + 40000 = 165000 pps.

In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See config priority-protocol for details.

40000

config priority-protocol

Use the following command to adjust the priority of BGP, SLBC, and BFD packets received by NP7 processors to reduce the amount of this traffic allowed by the HPE.

config system npu

config priority-protocol

set bgp {disable | enable}

set slbc {disable | enable}

set bfd {disable | enable}

end

By default, all options are set to enable and BGP, SLBC, and BFD packets are treated by the NP7 as high priority traffic and the HPE adds the HPE pri-type-max overflow to the allowed packets per second for these traffic types. In some cases, the pri-type-max overflow can allow excessive amounts of BGP, SLBC, and BFD traffic that can cause problems such as route flapping and CPU spikes. If you encounter this problem, or for other reasons you can use the config priority-protocol command to set BGP, SLBC, or BFD traffic to low priority, bypassing the HPE pri-type-max overflow. For more information about the NP7 HPE, see config hpe.

Caution

Changing these traffic types to low priority can cause problems if your FortiGate is actively processing traffic. Fortinet recommends that you make changes with this command during a maintenance window and then monitor your system to make sure its working properly once it gets busy again.

If bgp is set to enable (the default), the HPE limits BGP syn packets to tcpsyn-max + pri-type-max pps and limits other BGP traffic to tcp-max + pri-type-max pps. If bgp is set to disable, the HPE limits BGP syn packets to tcpsyn-max pps and other BGP traffic to tcp-max pps. If your network is using the BGP protocol, you can keep this option enabled to allow for higher volumes of BGP traffic. If your network should not see any BGP traffic you can disable this option to limit BGP traffic to lower pps.

If slbc is set to enable (the default), the HPE limits SLBC traffic to udp-max + pri-type-max pps. If slbc is set to disable, theHPE limits SLBC traffic to udp-max pps. If your FortiGate is in a SLBC configuration, slbc should be enabled. Otherwise you can choose to disable it.

If bfd is set to enable (the default), the HPE limits BFD traffic to udp-max + pri-type-max pps. If bfd is set to disable, the HPE limits BFD traffic to udp-max pps.

config fp-anomaly

Use the following command to configure the NP7 traffic anomaly protection:

config system npu

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

end

In most cases you can configure the NP7 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP7 anomaly protection for that anomaly.

If you select trap-to-host for an anomaly protection option, you can use a DoS policy to configure anomaly protection for that anomaly. If you set the policy-offload-level NPU setting to dos-offload, DoS policy anomaly protection is offloaded to the NP7.

Command Description Default
tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes. trap-to-host
ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host

config ip-reassembly

Use the following command to enable IP reassembly, which configures the NP7 processor to reassemble fragmented IP packets:

config system npu

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

end

For more information, see Reassembling and offloading fragmented packets.

Configuring NP7 processors

You can use the config system npu command to configure a wide range of settings for each of the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

You can also enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure for an NP7 processor with the config system npu command apply to traffic processed by all interfaces connected to that NP7 processor. This includes the physical interfaces connected to the NP7 processor as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processor.

config system npu

set dedicated-management-cpu {disable | enable}

set ipsec-ob-np-sel {RR | packet | hash}

set fastpath {disable | enable}

set capwap-offload {disable | enable}

set default-qos-type {policing | shaping}

set inbound-dscp-copy {disable | enable}

set per-session-accounting {disable | enable | traffic-log-only}

set session-acct-interval <seconds>

set max-session-timeout <seconds>

set mcast-session-accounting {tpe-based | session-based | disable}

config port-npu-map

edit <interface-name>

set npu-group-index {0 | 1 | 2}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

config hpe

set tcpsyn-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

config priority-protocol

set bgp {disable | enable}

set slbc {disable | enable}

set bfd {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

end

end

dedicated-management-cpu {disable | enable}

Enable dedicating CPU 0 for management tasks. See Dedicated management CPU. Disabled by default.

ipsec-ob-np-sel {RR | packet | hash}

For future use.

fastpath {disable | enable)

Use the following command to enable or disable offloading to NP7 processors:

config system npu

set fastpath {disable | enable}

end

fastpath set to enable (the default) to enable offloading sessions to NP7 processors. Set to disable if you do not want traffic offloaded to NP7 processors.

capwap-offload {disable | enable}

Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions to the NP7 processor. Enabled by default.

default-qos-type {policing | shaping}

Set the QoS type used by the NP7 for traffic shaping. The FortiGate restarts after changing this setting. See NP7 queue-based traffic management.

inbound-dscp-copy {disable | enable}

Disabled by default, you can enable this option to copy the DSCP value from the ESP header to the inner IP Header for incoming packets. This feature can be used in situations where the network is expecting a DSCP value in the inner IP header but the traffic has the DSCP value in the ESP header.

per-session-accounting {disable | enable | traffic-log-only}

Disable NP7 per-session accounting or enable it and control how it works.

Where:

enable enables per-session accounting for all traffic offloaded by the NP7 processor.

disable turns off per-session accounting.

traffic-log-only (the default) turns on NP7 per-session accounting for traffic accepted by firewall policies that have traffic logging enabled.

Enabling per-session accounting can affect NP7 offloading performance.

For more information, see Per-session accounting for offloaded NP7 sessions.

session-acct-interval <seconds>

Change the session accounting update interval. The default is to send an update every 5 seconds. The range is 1 to 10 seconds.

For more information, see Changing the per-session accounting interval.

max-session-timeout <seconds>

Change the maximum time interval for refreshing NPU-offloaded sessions. The default refresh time is 40 seconds. The range is 10 to 1000 seconds.

To free up NP7 memory you can reduce this session timeout so that inactive sessions are removed from the session table more often. However, if your NP7 is processing sessions with long lifetimes, you can increase the max-session-timeout to reduce how often the system checks for and removes inactive sessions,

mcast-session-accounting {tpe-based | session-based | disable}

Use this option to configure multicast session accounting.

Where:

tpe-based (the default) enables TPE-based multicast session accounting.

session-based enables session-based multicast session accounting.

disable disables multicast session accounting.

For more information, see Enabling multicast per-session accounting.

config port-npu-map

Use the following command to configure the NPU port map:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index {0 | 1 | 2}

end

You can use the port map to assign data interfaces to NP7 links.

Each NP7 has two 100-Gigabit KR links, numbered 0 and 1. Traffic passes to the NP7 over these links. By default the two links operate as a LAG that distributes sessions to the NP7 processor. You can configure the NPU port map to assign interfaces to use one or the other of the NP7 links instead of sending sessions over the LAG.

npu-group-index can be:

  • 0, assign the interface to NP#0, the default, the interface is connected to the LAG. Traffic from the interface is distributed to both links.
  • 1, assign the interface to NP#0-link0, to connect the interface to NP7 link 0. Traffic from the interface is set to link 0.
  • 2, assign the interface to NP#0-link1, to connect the interface to NP7 link 1. Traffic from the interface is set to link 1.

For example, use the following syntax to assign the FortiGate-1800F front panel 40Gigabit interfaces 37 and 38 to NPU link0 and interfaces 39 and 40 to NPU link 2. The resulting configuration splits traffic from the 40Gigabit interfaces between the two NP7 links:

config system npu

config port-npu-map

edit port37

set npu-group-index 1

next

edit port38

set npu-group-index 1

next

edit port39

set npu-group-index 2

next

edit port40

set npu-group-index 2

end

end

You can use the diagnose npu np7 port-list command to see the current NPU port map configuration and the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.

config dos-options

Us the following command to configure some NP7 DoS protection settings:

config system npu

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

end

For more information, see DoS policy hardware acceleration.

config hpe

The NP7 host protection engine (HPE) uses NP7 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP7 processors from overloading the FortiGate CPU.

You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds.

The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection.

config system npu

config hpe

set tcpsyn-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

end

Command Description Default
enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable
tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 1000 to 1000000000 pps. 125000
tcp-max Limit the maximum number of non-SYN TCP packets received per second. The range is 1000 to 1000000000 pps. 125000
udp-max Limit the maximum number of UDP packets received per second. The range is 10,000 to 4,000,000,000 pps. 125000
icmp-max Limit the maximum number of ICMP packets received. The range is 1000 to 1000000000 pps. 40000
sctp-max Limit the maximum number of SCTP packets received. The range is 1000 to 1000000000 pps. 40000
esp-max Limit the maximum number of ESP packets received. The range is 1000 to 1000000000 pps. 40000
ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 1000 to 1000000000 pps. 40000
ip-others-max Limit the maximum number of other types of IP packets received. The range is 1000 to 1000000000 pps. 40000
arp-max Limit the maximum number of ARP packets received. The range is 1000 to 1000000000 pps. 40000
l2-others-max Limit the maximum number of other layer-2 packets received. The range is 1000 to 1000000000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 40000

pri-type-max

Set the maximum overflow limit for high priority traffic. The range is 0 to 1000000000 pps.

This overflow is applied to the following types of traffic that are treated as high-priority by the NP7 processor:

  • HA heartbeat
  • LACP/802.3ad
  • OSPF
  • BGP
  • IKE
  • SLBC
  • BFD

This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP7 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP7 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 125000 + 40000 = 165000 pps.

In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See config priority-protocol for details.

40000

config priority-protocol

Use the following command to adjust the priority of BGP, SLBC, and BFD packets received by NP7 processors to reduce the amount of this traffic allowed by the HPE.

config system npu

config priority-protocol

set bgp {disable | enable}

set slbc {disable | enable}

set bfd {disable | enable}

end

By default, all options are set to enable and BGP, SLBC, and BFD packets are treated by the NP7 as high priority traffic and the HPE adds the HPE pri-type-max overflow to the allowed packets per second for these traffic types. In some cases, the pri-type-max overflow can allow excessive amounts of BGP, SLBC, and BFD traffic that can cause problems such as route flapping and CPU spikes. If you encounter this problem, or for other reasons you can use the config priority-protocol command to set BGP, SLBC, or BFD traffic to low priority, bypassing the HPE pri-type-max overflow. For more information about the NP7 HPE, see config hpe.

Caution

Changing these traffic types to low priority can cause problems if your FortiGate is actively processing traffic. Fortinet recommends that you make changes with this command during a maintenance window and then monitor your system to make sure its working properly once it gets busy again.

If bgp is set to enable (the default), the HPE limits BGP syn packets to tcpsyn-max + pri-type-max pps and limits other BGP traffic to tcp-max + pri-type-max pps. If bgp is set to disable, the HPE limits BGP syn packets to tcpsyn-max pps and other BGP traffic to tcp-max pps. If your network is using the BGP protocol, you can keep this option enabled to allow for higher volumes of BGP traffic. If your network should not see any BGP traffic you can disable this option to limit BGP traffic to lower pps.

If slbc is set to enable (the default), the HPE limits SLBC traffic to udp-max + pri-type-max pps. If slbc is set to disable, theHPE limits SLBC traffic to udp-max pps. If your FortiGate is in a SLBC configuration, slbc should be enabled. Otherwise you can choose to disable it.

If bfd is set to enable (the default), the HPE limits BFD traffic to udp-max + pri-type-max pps. If bfd is set to disable, the HPE limits BFD traffic to udp-max pps.

config fp-anomaly

Use the following command to configure the NP7 traffic anomaly protection:

config system npu

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

end

In most cases you can configure the NP7 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP7 anomaly protection for that anomaly.

If you select trap-to-host for an anomaly protection option, you can use a DoS policy to configure anomaly protection for that anomaly. If you set the policy-offload-level NPU setting to dos-offload, DoS policy anomaly protection is offloaded to the NP7.

Command Description Default
tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes. trap-to-host
ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host

config ip-reassembly

Use the following command to enable IP reassembly, which configures the NP7 processor to reassemble fragmented IP packets:

config system npu

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

end

For more information, see Reassembling and offloading fragmented packets.