Configuring NP7 processors
You can use the config system npu command to configure a wide range of settings for each of the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.
You can also enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.
The settings that you configure for an NP7 processor with the config system npu command apply to traffic processed by all interfaces connected to that NP7 processor. This includes the physical interfaces connected to the NP7 processor as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processor.
config system npu
set dedicated-management-cpu {disable | enable}
set ipsec-ob-np-sel {RR | packet | hash}
set fastpath {disable | enable}
set capwap-offload {disable | enable}
set default-qos-type {policing | shaping}
set inbound-dscp-copy {disable | enable}
set per-session-accounting {disable | enable | traffic-log-only}
set session-acct-interval <seconds>
set max-session-timeout <seconds>
set mcast-session-accounting {tpe-based | session-based | disable}
config port-npu-map
edit <interface-name>
set npu-group-index {0 | 1 | 2}
config dos-options
set npu-dos-meter-mode {global | local}
set npu-dos-tpe-mode {disable | enable}
config hpe
set tcpsyn-max <packets-per-second>
set tcp-max <packets-per-second>
set udp-max <packets-per-second>
set icmp-max <packets-per-second>
set sctp-max <packets-per-second>
set esp-max <packets-per-second>
set ip-frag-max <packets-per-second>
set ip-others-max <packets-per-second>
set arp-max <packets-per-second>
set l2-others-max <packets-per-second>
set pri-type-max <packets-per-second>
set enable-shaper {disable | enable}
config priority-protocol
set bgp {disable | enable}
set slbc {disable | enable}
set bfd {disable | enable}
config fp-anomaly
set tcp-syn-fin {allow | drop | trap-to-host}
set tcp-fin-noack {allow | drop | trap-to-host}
set tcp-fin-only {allow | drop | trap-to-host}
set tcp-no-flag {allow | drop | trap-to-host}
set tcp-syn-data {allow | drop | trap-to-host}
set tcp-winnuke {allow | drop | trap-to-host}
set tcp-land {allow | drop | trap-to-host}
set udp-land {allow | drop | trap-to-host}
set icmp-land {allow | drop | trap-to-host}
set icmp-frag {allow | drop | trap-to-host}
set ipv4-land {allow | drop | trap-to-host}
set ipv4-proto-err {allow | drop | trap-to-host}
set ipv4-unknopt {allow | drop | trap-to-host}
set ipv4-optrr {allow | drop | trap-to-host}
set ipv4-optssrr {allow | drop | trap-to-host}
set ipv4-optlsrr {allow | drop | trap-to-host}
set ipv4-optstream {allow | drop | trap-to-host}
set ipv4-optsecurity {allow | drop | trap-to-host}
set ipv4-opttimestamp {allow | drop | trap-to-host}
set ipv4-csum-err {drop | trap-to-host}
set tcp-csum-err {drop | trap-to-host}
set udp-csum-err {drop | trap-to-host}
set icmp-csum-err {drop | trap-to-host}
set ipv6-land {allow | drop | trap-to-host}
set ipv6-proto-err {allow | drop | trap-to-host}
set ipv6-unknopt {allow | drop | trap-to-host}
set ipv6-saddr-err {allow | drop | trap-to-host}
set ipv6-daddr-err {allow | drop | trap-to-host}
set ipv6-optralert {allow | drop | trap-to-host}
set ipv6-optjumbo {allow | drop | trap-to-host}
set ipv6-opttunnel {allow | drop | trap-to-host}
set ipv6-opthomeaddr {allow | drop | trap-to-host}
set ipv6-optnsap {allow | drop | trap-to-host}
set ipv6-optendpid {allow | drop | trap-to-host}
set ipv6-optinvld {allow | drop | trap-to-host}
config ip-reassembly
set min_timeout <micro-seconds>
set max_timeout <micro-seconds>
set status {disable | enable}
end
end
dedicated-management-cpu {disable | enable}
Enable dedicating CPU 0 for management tasks. See Dedicated management CPU. Disabled by default.
ipsec-ob-np-sel {RR | packet | hash}
For future use.
fastpath {disable | enable)
Use the following command to enable or disable offloading to NP7 processors:
config system npu
set fastpath {disable | enable}
end
fastpath set to enable (the default) to enable offloading sessions to NP7 processors. Set to disable if you do not want traffic offloaded to NP7 processors.
capwap-offload {disable | enable}
Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions to the NP7 processor. Enabled by default.
default-qos-type {policing | shaping}
Set the QoS type used by the NP7 for traffic shaping. The FortiGate restarts after changing this setting. See NP7 traffic shaping.
inbound-dscp-copy {disable | enable}
Disabled by default, you can enable this option to copy the DSCP value from the ESP header to the inner IP Header for incoming packets. This feature can be used in situations where the network is expecting a DSCP value in the inner IP header but the traffic has the DSCP value in the ESP header.
per-session-accounting {disable | enable | traffic-log-only}
Disable NP7 per-session accounting or enable it and control how it works.
Where:
enable enables per-session accounting for all traffic offloaded by the NP7 processor.
disable turns off per-session accounting.
traffic-log-only (the default) turns on NP7 per-session accounting for traffic accepted by firewall policies that have traffic logging enabled.
Enabling per-session accounting can affect NP7 offloading performance.
For more information, see Per-session accounting for offloaded NP7 sessions.
session-acct-interval <seconds>
Change the session accounting update interval. The default is to send an update every 5 seconds. The range is 1 to 10 seconds.
For more information, see Changing the per-session accounting interval.
max-session-timeout <seconds>
Change the maximum time interval for refreshing NPU-offloaded sessions. The default refresh time is 40 seconds. The range is 10 to 1000 seconds.
To free up NP7 memory you can reduce this session timeout so that inactive sessions are removed from the session table more often. However, if your NP7 is processing sessions with long lifetimes, you can increase the max-session-timeout to reduce how often the system checks for and removes inactive sessions,
mcast-session-accounting {tpe-based | session-based | disable}
Use this option to configure multicast session accounting.
Where:
tpe-based (the default) enables TPE-based multicast session accounting.
session-based enables session-based multicast session accounting.
disable disables multicast session accounting.
For more information, see Enabling multicast per-session accounting.
config port-npu-map
Use the following command to configure the NPU port map:
config system npu
config port-npu-map
edit <interface-name>
set npu-group-index {0 | 1 | 2}
end
You can use the port map to assign data interfaces to NP7 links.
Each NP7 has two 100-Gigabit KR links, numbered 0 and 1. Traffic passes to the NP7 over these links. By default the two links operate as a LAG that distributes sessions to the NP7 processor. You can configure the NPU port map to assign interfaces to use one or the other of the NP7 links instead of sending sessions over the LAG.
npu-group-index can be:
0, assign the interface toNP#0, the default, the interface is connected to the LAG. Traffic from the interface is distributed to both links.1, assign the interface toNP#0-link0, to connect the interface to NP7 link 0. Traffic from the interface is set to link 0.2, assign the interface toNP#0-link1, to connect the interface to NP7 link 1. Traffic from the interface is set to link 1.
For example, use the following syntax to assign the FortiGate-1800F front panel 40Gigabit interfaces 37 and 38 to NPU link0 and interfaces 39 and 40 to NPU link 2. The resulting configuration splits traffic from the 40Gigabit interfaces between the two NP7 links:
config system npu
config port-npu-map
edit port37
set npu-group-index 1
next
edit port38
set npu-group-index 1
next
edit port39
set npu-group-index 2
next
edit port40
set npu-group-index 2
end
end
You can use the diagnose npu np7 port-list command to see the current NPU port map configuration and the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.
config dos-options
Us the following command to configure some NP7 DoS protection settings:
config system npu
config dos-options
set npu-dos-meter-mode {global | local}
set npu-dos-tpe-mode {disable | enable}
end
For more information, see DoS policy hardware acceleration.
config hpe
The NP7 host protection engine (HPE) uses NP7 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP7 processors from overloading the FortiGate CPU.
You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds.
The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.
DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection.
config system npu
config hpe
set tcpsyn-max <packets-per-second>
set tcp-max <packets-per-second>
set udp-max <packets-per-second>
set icmp-max <packets-per-second>
set sctp-max <packets-per-second>
set esp-max <packets-per-second>
set ip-frag-max <packets-per-second>
set ip-others-max <packets-per-second>
set arp-max <packets-per-second>
set l2-others-max <packets-per-second>
set pri-type-max <packets-per-second>
set enable-shaper {disable | enable}
end
| Command | Description | Default |
|---|---|---|
enable-shaper {disable | enable}
|
Enable or disable HPE DDoS protection. | disable |
tcpsyn-max
|
Limit the maximum number of TCP SYN packets received per second. The range is 1000 to 1000000000 pps. | 125000 |
tcp-max
|
Limit the maximum number of non-SYN TCP packets received per second. The range is 1000 to 1000000000 pps. | 125000 |
udp-max
|
Limit the maximum number of UDP packets received per second. The range is 10,000 to 4,000,000,000 pps. | 125000 |
icmp-max
|
Limit the maximum number of ICMP packets received. The range is 1000 to 1000000000 pps. | 40000 |
sctp-max
|
Limit the maximum number of SCTP packets received. The range is 1000 to 1000000000 pps. | 40000 |
esp-max
|
Limit the maximum number of ESP packets received. The range is 1000 to 1000000000 pps. | 40000 |
ip-frag-max
|
Limit the maximum number of fragmented IP packets received. The range is 1000 to 1000000000 pps. | 40000 |
ip-others-max
|
Limit the maximum number of other types of IP packets received. The range is 1000 to 1000000000 pps. | 40000 |
arp-max
|
Limit the maximum number of ARP packets received. The range is 1000 to 1000000000 pps. | 40000 |
l2-others-max
|
Limit the maximum number of other layer-2 packets received. The range is 1000 to 1000000000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. | 40000 |
|
|
Set the maximum overflow limit for high priority traffic. The range is 0 to 1000000000 pps. This overflow is applied to the following types of traffic that are treated as high-priority by the NP7 processor:
This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP7 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP7 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See config priority-protocol for details. |
40000 |
config priority-protocol
Use the following command to adjust the priority of BGP, SLBC, and BFD packets received by NP7 processors to reduce the amount of this traffic allowed by the HPE.
config system npu
config priority-protocol
set bgp {disable | enable}
set slbc {disable | enable}
set bfd {disable | enable}
end
By default, all options are set to enable and BGP, SLBC, and BFD packets are treated by the NP7 as high priority traffic and the HPE adds the HPE pri-type-max overflow to the allowed packets per second for these traffic types. In some cases, the pri-type-max overflow can allow excessive amounts of BGP, SLBC, and BFD traffic that can cause problems such as route flapping and CPU spikes. If you encounter this problem, or for other reasons you can use the config priority-protocol command to set BGP, SLBC, or BFD traffic to low priority, bypassing the HPE pri-type-max overflow. For more information about the NP7 HPE, see config hpe.
|
Changing these traffic types to low priority can cause problems if your FortiGate is actively processing traffic. Fortinet recommends that you make changes with this command during a maintenance window and then monitor your system to make sure its working properly once it gets busy again. |
If bgp is set to enable (the default), the HPE limits BGP syn packets to tcpsyn-max + pri-type-max pps and limits other BGP traffic to tcp-max + pri-type-max pps. If bgp is set to disable, the HPE limits BGP syn packets to tcpsyn-max pps and other BGP traffic to tcp-max pps. If your network is using the BGP protocol, you can keep this option enabled to allow for higher volumes of BGP traffic. If your network should not see any BGP traffic you can disable this option to limit BGP traffic to lower pps.
If slbc is set to enable (the default), the HPE limits SLBC traffic to udp-max + pri-type-max pps. If slbc is set to disable, theHPE limits SLBC traffic to udp-max pps. If your FortiGate is in a SLBC configuration, slbc should be enabled. Otherwise you can choose to disable it.
If bfd is set to enable (the default), the HPE limits BFD traffic to udp-max + pri-type-max pps. If bfd is set to disable, the HPE limits BFD traffic to udp-max pps.
config fp-anomaly
Use the following command to configure the NP7 traffic anomaly protection:
config system npu
config fp-anomaly
set tcp-syn-fin {allow | drop | trap-to-host}
set tcp-fin-noack {allow | drop | trap-to-host}
set tcp-fin-only {allow | drop | trap-to-host}
set tcp-no-flag {allow | drop | trap-to-host}
set tcp-syn-data {allow | drop | trap-to-host}
set tcp-winnuke {allow | drop | trap-to-host}
set tcp-land {allow | drop | trap-to-host}
set udp-land {allow | drop | trap-to-host}
set icmp-land {allow | drop | trap-to-host}
set icmp-frag {allow | drop | trap-to-host}
set ipv4-land {allow | drop | trap-to-host}
set ipv4-proto-err {allow | drop | trap-to-host}
set ipv4-unknopt {allow | drop | trap-to-host}
set ipv4-optrr {allow | drop | trap-to-host}
set ipv4-optssrr {allow | drop | trap-to-host}
set ipv4-optlsrr {allow | drop | trap-to-host}
set ipv4-optstream {allow | drop | trap-to-host}
set ipv4-optsecurity {allow | drop | trap-to-host}
set ipv4-opttimestamp {allow | drop | trap-to-host}
set ipv4-csum-err {drop | trap-to-host}
set tcp-csum-err {drop | trap-to-host}
set udp-csum-err {drop | trap-to-host}
set icmp-csum-err {drop | trap-to-host}
set ipv6-land {allow | drop | trap-to-host}
set ipv6-proto-err {allow | drop | trap-to-host}
set ipv6-unknopt {allow | drop | trap-to-host}
set ipv6-saddr-err {allow | drop | trap-to-host}
set ipv6-daddr-err {allow | drop | trap-to-host}
set ipv6-optralert {allow | drop | trap-to-host}
set ipv6-optjumbo {allow | drop | trap-to-host}
set ipv6-opttunnel {allow | drop | trap-to-host}
set ipv6-opthomeaddr {allow | drop | trap-to-host}
set ipv6-optnsap {allow | drop | trap-to-host}
set ipv6-optendpid {allow | drop | trap-to-host}
set ipv6-optinvld {allow | drop | trap-to-host}
end
In most cases you can configure the NP7 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP7 anomaly protection for that anomaly.
If you select trap-to-host for an anomaly protection option, you can use a DoS policy to configure anomaly protection for that anomaly. If you set the policy-offload-level NPU setting to dos-offload, DoS policy anomaly protection is offloaded to the NP7.
| Command | Description | Default |
|---|---|---|
tcp-syn-fin {allow | drop | trap-to-host}
|
Detects TCP SYN flood SYN/FIN flag set anomalies. | allow |
tcp-fin-noack {allow | drop | trap-to-host}
|
Detects TCP SYN flood with FIN flag set without ACK setting anomalies. | trap-to-host |
tcp-fin-only {allow | drop | trap-to-host}
|
Detects TCP SYN flood with only FIN flag set anomalies. | trap-to-host |
tcp-no-flag {allow | drop | trap-to-host}
|
Detects TCP SYN flood with no flag set anomalies. | allow |
tcp-syn-data {allow | drop | trap-to-host}
|
Detects TCP SYN flood packets with data anomalies. | allow |
tcp-winnuke {allow | drop | trap-to-host}
|
Detects TCP WinNuke anomalies. | trap-to-host |
tcp-land {allow | drop | trap-to-host}
|
Detects TCP land anomalies. | trap-to-host |
udp-land {allow | drop | trap-to-host}
|
Detects UDP land anomalies. | trap-to-host |
icmp-land {allow | drop | trap-to-host}
|
Detects ICMP land anomalies. | trap-to-host |
icmp-frag {allow | drop | trap-to-host}
|
Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. | allow |
ipv4-land {allow | drop | trap-to-host}
|
Detects IPv4 land anomalies. | trap-to-host |
ipv4-proto-err {allow | drop | trap-to-host}
|
Detects invalid layer 4 protocol anomalies. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes. |
trap-to-host |
ipv4-unknopt {allow | drop | trap-to-host}
|
Detects unknown option anomalies. | trap-to-host |
ipv4-optrr {allow | drop | trap-to-host}
|
Detects IPv4 with record route option anomalies. | trap-to-host |
ipv4-optssrr {allow | drop | trap-to-host}
|
Detects IPv4 with strict source record route option anomalies. | trap-to-host |
ipv4-optlsrr {allow | drop | trap-to-host}
|
Detects IPv4 with loose source record route option anomalies. | trap-to-host |
ipv4-optstream {allow | drop | trap-to-host}
|
Detects stream option anomalies. | trap-to-host |
ipv4-optsecurity {allow | drop | trap-to-host}
|
Detects security option anomalies. | trap-to-host |
ipv4-opttimestamp {allow | drop | trap-to-host}
|
Detects timestamp option anomalies. | trap-to-host |
ipv4-csum-err {drop | trap-to-host}
|
Detects IPv4 checksum errors. | drop |
tcp-csum-err {drop | trap-to-host}
|
Detects TCP checksum errors. | drop |
udp-csum-err {drop | trap-to-host}
|
Detects UDP checksum errors. | drop |
icmp-csum-err {drop | trap-to-host}
|
Detects ICMP checksum errors. | drop |
ipv6-land {allow | drop | trap-to-host}
|
Detects IPv6 land anomalies | trap-to-host |
ipv6-unknopt {allow | drop | trap-to-host}
|
Detects unknown option anomalies. | trap-to-host |
ipv6-saddr-err {allow | drop | trap-to-host}
|
Detects source address as multicast anomalies. | trap-to-host |
ipv6-daddr-err {allow | drop | trap-to-host}
|
Detects destination address as unspecified or loopback address anomalies. | trap-to-host |
ipv6-optralert {allow | drop | trap-to-host}
|
Detects router alert option anomalies. | trap-to-host |
ipv6-optjumbo {allow | drop | trap-to-host}
|
Detects jumbo options anomalies. | trap-to-host |
ipv6-opttunnel {allow | drop | trap-to-host}
|
Detects tunnel encapsulation limit option anomalies. | trap-to-host |
ipv6-opthomeaddr {allow | drop | trap-to-host}
|
Detects home address option anomalies. | trap-to-host |
ipv6-optnsap {allow | drop | trap-to-host}
|
Detects network service access point address option anomalies. | trap-to-host |
ipv6-optendpid {allow | drop | trap-to-host}
|
Detects end point identification anomalies. | trap-to-host |
ipv6-optinvld {allow | drop | trap-to-host}
|
Detects invalid option anomalies. | trap-to-host |
config ip-reassembly
Use the following command to enable IP reassembly, which configures the NP7 processor to reassemble fragmented IP packets:
config system npu
config ip-reassembly
set min_timeout <micro-seconds>
set max_timeout <micro-seconds>
set status {disable | enable}
end
For more information, see Reassembling and offloading fragmented packets.