Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

Download PDF
Copy Link

config hpe

The NP7 host protection engine (HPE) uses NP7 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP7 processors from overloading the FortiGate CPU.

You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds.

The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection.

config system npu

config hpe

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

end

Command Description Default
enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable
tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 1000 to 1000000000 pps. 600000

tcpsyn-ack-max

Prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 40000000 pps. TCP SYN_ACK reflection attacks consist of an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

600000

tcpfin-rst-max

Limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 40000000 pps.

600000

tcp-max Limit the maximum number of TCP packets received per second that are not filtered by tcpsyn-max, tcpsyn-ack-max, or tcpfin-rst-max. The range is 1000 to 1000000000 pps. 600000
udp-max Limit the maximum number of UDP packets received per second. The range is 10,000 to 4,000,000,000 pps. 600000
icmp-max Limit the maximum number of ICMP packets received. The range is 1000 to 1000000000 pps. 40000
sctp-max Limit the maximum number of SCTP packets received. The range is 1000 to 1000000000 pps. 40000
esp-max Limit the maximum number of ESP packets received. The range is 1000 to 1000000000 pps. 40000
ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 1000 to 1000000000 pps. 40000
ip-others-max Limit the maximum number of other types of IP packets received. The range is 1000 to 1000000000 pps. 40000
arp-max Limit the maximum number of ARP packets received. The range is 1000 to 1000000000 pps. 40000
l2-others-max Limit the maximum number of other layer-2 packets received (packet types that cannot be set with other HPE options). The range is 1000 to 1000000000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 40000

pri-type-max

Set the maximum overflow limit for high priority traffic. The range is 0 to 1000000000 pps.

This overflow is applied to the following types of traffic that are treated as high-priority by the NP7 processor:

  • HA heartbeat
  • LACP/802.3ad
  • OSPF
  • BGP
  • IKE
  • SLBC
  • BFD

This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP7 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP7 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 125000 + 40000 = 165000 pps.

In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See for details.

40000

config hpe

The NP7 host protection engine (HPE) uses NP7 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP7 processors from overloading the FortiGate CPU.

You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds.

The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection.

config system npu

config hpe

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

end

Command Description Default
enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable
tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 1000 to 1000000000 pps. 600000

tcpsyn-ack-max

Prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 40000000 pps. TCP SYN_ACK reflection attacks consist of an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

600000

tcpfin-rst-max

Limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 40000000 pps.

600000

tcp-max Limit the maximum number of TCP packets received per second that are not filtered by tcpsyn-max, tcpsyn-ack-max, or tcpfin-rst-max. The range is 1000 to 1000000000 pps. 600000
udp-max Limit the maximum number of UDP packets received per second. The range is 10,000 to 4,000,000,000 pps. 600000
icmp-max Limit the maximum number of ICMP packets received. The range is 1000 to 1000000000 pps. 40000
sctp-max Limit the maximum number of SCTP packets received. The range is 1000 to 1000000000 pps. 40000
esp-max Limit the maximum number of ESP packets received. The range is 1000 to 1000000000 pps. 40000
ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 1000 to 1000000000 pps. 40000
ip-others-max Limit the maximum number of other types of IP packets received. The range is 1000 to 1000000000 pps. 40000
arp-max Limit the maximum number of ARP packets received. The range is 1000 to 1000000000 pps. 40000
l2-others-max Limit the maximum number of other layer-2 packets received (packet types that cannot be set with other HPE options). The range is 1000 to 1000000000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 40000

pri-type-max

Set the maximum overflow limit for high priority traffic. The range is 0 to 1000000000 pps.

This overflow is applied to the following types of traffic that are treated as high-priority by the NP7 processor:

  • HA heartbeat
  • LACP/802.3ad
  • OSPF
  • BGP
  • IKE
  • SLBC
  • BFD

This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP7 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP7 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 125000 + 40000 = 165000 pps.

In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See for details.

40000