HPE enhancements
The NP7 host protection engine (HPE) configuration has been enhanced with the addition of two new options:
config system npu
config hpe
set tcpsyn-ack-max 6000
set tcpfin-rst-max 3000
end
tcpsyn-ack-max <packets-per-second>
prevent SYN_ACK reflection attacks by limiting the number of TCP SYN_ACK packets received per second. The range is 1000 to 40000000 pps. and the default is 600000. TCP SYN_ACK reflection attacks occur when an attacker sends large amounts of SYN_ACK packets without first sending SYN packets. These attacks can cause high CPU usage because the FortiOS firewall assumes that these SYN_ACK packets are the first packets in a session, so the packets are processed by the CPU instead of the NP7 processors.
tcpfin-rst-max <packets-per-second>
limit the maximum number of TCP FIN and RST packets received per second. The range is 1000 to 40000000 pps. and the default is 600000.