Fortinet black logo

Hyperscale Firewall Release Notes

Home FortiGate / FortiOS 6.2.7 Hyperscale Firewall Release Notes
6.2.7
7.2.4
7.2.3
7.2.2
7.2.1
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

HPE enhancements

HPE enhancements

The NP7 host protection engine (HPE) configuration has been enhanced with the addition of two new options:

config system npu

config hpe

set tcpsyn-ack-max 6000

set tcpfin-rst-max 3000

end

tcpsyn-ack-max <packets-per-second> prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 40000000 pps. and the default is 600000. TCP SYN_ACK reflection attacks occur when an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the FortiOS firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

tcpfin-rst-max <packets-per-second> limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 40000000 pps. and the default is 600000.

Previous
Next

HPE enhancements

The NP7 host protection engine (HPE) configuration has been enhanced with the addition of two new options:

config system npu

config hpe

set tcpsyn-ack-max 6000

set tcpfin-rst-max 3000

end

tcpsyn-ack-max <packets-per-second> prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 40000000 pps. and the default is 600000. TCP SYN_ACK reflection attacks occur when an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the FortiOS firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.

tcpfin-rst-max <packets-per-second> limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 40000000 pps. and the default is 600000.

Previous
Next