Fortinet black logo

Hyperscale Firewall Release Notes

Home FortiGate / FortiOS 6.2.9 Hyperscale Firewall Release Notes
6.2.9
7.2.4
7.2.3
7.2.2
7.2.1
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

New config system npu options

New config system npu options

The following new options have been added to the config system npu command for NP7 platforms for FortiOS 6.2.9:

config system npu

set tcp-rst-timeout <timeout>

set napi-break-interval <interval>

set vlan-lookup-cache {disable | enable}

set htab-msg-queue {data | idle | dedicated}

set htab-dedi-queue-nr <number-of-queues>

set double-level-mcast-offload {disable | enable}

end

tcp-rst-timeout the NP7 TCP reset (RST) timeout in seconds. The range is 0-16777215. The default timeout is 5 seconds. This timeout is optimal in most cases, especially when hyperscale firewall is enabled. A timeout of 0 means no time out.

napi-break-interval set the new API ( NAPI) break interval. The range is 0 to 65535. The default interval is 0.

vlan-lookup-cache enable or disable VLAN lookup (SPV/TPV) caching. Enable this option to optimize performance of NP7-offloaded traffic passing through VLAN interfaces. This option is disabled by default. Enabling or disabling vlan-lookup-cache requires a system restart. You should only change this setting during a maintenance window or quiet period.

htab-msg-queue hash table message queue mode. You can use this option to alleviate performance bottlenecks that may occur when hash table messages use up all of the available hyperscale NP7 data queues.

You can use the following commands to get the hash table message count and rate.

diagnose npu np7 msg htab-stats {all| chip-id}

diagnose npu np7 msg htab-rate {all| chip-id}

You can use the following command to show MSWM information:

diagnose npu np7 mswm

You can use the following command to show Session Search Engine (SSE) drop counters:

diagnose npu np7 dce-sse-drop 0 v

You can use the following command to show command counters:

diagnose npu np7 cmd

The following htab-msg-queue options are available:

  • data (the default) use all available data queues.

  • idle if you notice the data queues are all in use, you can select this option to use idle queues for hash table messages.

  • dedicated use between 1 to 8 of the highest number data queues. Use the option htab-dedi-queue-nr to set the number of data queues to use.

htab-dedi-queue-nr if you are using dedicated queues for hash table messages for hyperscale firewall sessions, you can set the number of queues to use. The range is 1 to 8 queues. The default is 4 queues.

double-level-mcast-offload enable to support NP7 offloading for more than 256 destinations for multicast replication. By default this option is disabled and NP7 processors support up to 256 destinations for multicast replication. You can enable this option to effectively double the number.

Message-related diagnose commands:

diagnose npu np7 msg
summary          Show summary of message counters. [Take 0-1 arg(s)]
msg-by-mod       Show/clear message counters by source module. [Take 0-2 arg(s)]
msg-by-code      Show/clear message counters by message code. [Take 0-2 arg(s)]
msg-by-que       Show/clear message counters by RX queue. [Take 0-2 arg(s)]
msg-by-cpu       Show/clear message counters by CPU. [Take 0-2 arg(s)]
htab-stats       Show/clear hash table message counters. [Take 0-2 arg(s)]
htab-rate        Show/clear hash table message rate. [Take 0-2 arg(s)]
ipsec-stats      Show/clear IPSec message counters. [Take 0-2 arg(s)]
ipsec-rate       Show/clear IPSec message rate. [Take 0-2 arg(s)]
ipt-stats        Show/clear IP tunnel message counters. [Take 0-2 arg(s)]
ipt-rate         Show/clear IP tunnel message rate. [Take 0-2 arg(s)]
mse-stats        Show/clear MSE message counters. [Take 0-2 arg(s)]
mse-rate         Show/clear MSE message rate. [Take 0-2 arg(s)]
spath-stats      Show/clear hyperscale message counters. [Take 0-2 arg(s)]
spath-rate       Show/clear hyperscale message rate. [Take 0-2 arg(s)]
tpe-tce-stats    Show/clear TPC/TCE message counters. [Take 0-2 arg(s)]
tpe-tce-rate     Show/clear TPE/TCE message rate. [Take 0-2 arg(s)]

MSWM diag commands.

diagnose npu np7 mswm
mswm-all          Show/clear all MSWM counters. [Take 0-2 arg(s)]
module-to-mswm    Show/clear module-to-MSWM counters. [Take 0-2 arg(s)]
mswm-to-module    Show/clear MSWM-to-module counters. [Take 0-2 arg(s)]
mswh-all          Show/clear all MSWH counters. [Take 0-2 arg(s)]
module-to-mswh    Show/clear module-to-MSWH counters. [Take 0-2 arg(s)]
mswh-to-hrx       Show/clear MSWH-to-HRX counter. [Take 0-2 arg(s)]

Diagnose command to show SSE drop counters:

diagnose npu np7 dce-sse-drop 0 v

Diagnose command to show command counters:

diagnose npu np7 cmd
all             Show/clear all command counters. [Take 0-2 arg(s)]
sse             Show/clear SSE command counters. [Take 0-2 arg(s)]
mse             Show/clear MSE command counters. [Take 0-2 arg(s)]
dse             Show/clear DSE command counters. [Take 0-2 arg(s)]
lpm-rlt         Show/clear LPM/RLT command counters. [Take 0-2 arg(s)]
rate            Show/clear command rate. [Take 0-2 arg(s)]
measure-rate    Enable/disable command rate measurement. [Take 0-1 arg(s)]
Previous
Next

New config system npu options

The following new options have been added to the config system npu command for NP7 platforms for FortiOS 6.2.9:

config system npu

set tcp-rst-timeout <timeout>

set napi-break-interval <interval>

set vlan-lookup-cache {disable | enable}

set htab-msg-queue {data | idle | dedicated}

set htab-dedi-queue-nr <number-of-queues>

set double-level-mcast-offload {disable | enable}

end

tcp-rst-timeout the NP7 TCP reset (RST) timeout in seconds. The range is 0-16777215. The default timeout is 5 seconds. This timeout is optimal in most cases, especially when hyperscale firewall is enabled. A timeout of 0 means no time out.

napi-break-interval set the new API ( NAPI) break interval. The range is 0 to 65535. The default interval is 0.

vlan-lookup-cache enable or disable VLAN lookup (SPV/TPV) caching. Enable this option to optimize performance of NP7-offloaded traffic passing through VLAN interfaces. This option is disabled by default. Enabling or disabling vlan-lookup-cache requires a system restart. You should only change this setting during a maintenance window or quiet period.

htab-msg-queue hash table message queue mode. You can use this option to alleviate performance bottlenecks that may occur when hash table messages use up all of the available hyperscale NP7 data queues.

You can use the following commands to get the hash table message count and rate.

diagnose npu np7 msg htab-stats {all| chip-id}

diagnose npu np7 msg htab-rate {all| chip-id}

You can use the following command to show MSWM information:

diagnose npu np7 mswm

You can use the following command to show Session Search Engine (SSE) drop counters:

diagnose npu np7 dce-sse-drop 0 v

You can use the following command to show command counters:

diagnose npu np7 cmd

The following htab-msg-queue options are available:

  • data (the default) use all available data queues.

  • idle if you notice the data queues are all in use, you can select this option to use idle queues for hash table messages.

  • dedicated use between 1 to 8 of the highest number data queues. Use the option htab-dedi-queue-nr to set the number of data queues to use.

htab-dedi-queue-nr if you are using dedicated queues for hash table messages for hyperscale firewall sessions, you can set the number of queues to use. The range is 1 to 8 queues. The default is 4 queues.

double-level-mcast-offload enable to support NP7 offloading for more than 256 destinations for multicast replication. By default this option is disabled and NP7 processors support up to 256 destinations for multicast replication. You can enable this option to effectively double the number.

Message-related diagnose commands:

diagnose npu np7 msg
summary          Show summary of message counters. [Take 0-1 arg(s)]
msg-by-mod       Show/clear message counters by source module. [Take 0-2 arg(s)]
msg-by-code      Show/clear message counters by message code. [Take 0-2 arg(s)]
msg-by-que       Show/clear message counters by RX queue. [Take 0-2 arg(s)]
msg-by-cpu       Show/clear message counters by CPU. [Take 0-2 arg(s)]
htab-stats       Show/clear hash table message counters. [Take 0-2 arg(s)]
htab-rate        Show/clear hash table message rate. [Take 0-2 arg(s)]
ipsec-stats      Show/clear IPSec message counters. [Take 0-2 arg(s)]
ipsec-rate       Show/clear IPSec message rate. [Take 0-2 arg(s)]
ipt-stats        Show/clear IP tunnel message counters. [Take 0-2 arg(s)]
ipt-rate         Show/clear IP tunnel message rate. [Take 0-2 arg(s)]
mse-stats        Show/clear MSE message counters. [Take 0-2 arg(s)]
mse-rate         Show/clear MSE message rate. [Take 0-2 arg(s)]
spath-stats      Show/clear hyperscale message counters. [Take 0-2 arg(s)]
spath-rate       Show/clear hyperscale message rate. [Take 0-2 arg(s)]
tpe-tce-stats    Show/clear TPC/TCE message counters. [Take 0-2 arg(s)]
tpe-tce-rate     Show/clear TPE/TCE message rate. [Take 0-2 arg(s)]

MSWM diag commands.

diagnose npu np7 mswm
mswm-all          Show/clear all MSWM counters. [Take 0-2 arg(s)]
module-to-mswm    Show/clear module-to-MSWM counters. [Take 0-2 arg(s)]
mswm-to-module    Show/clear MSWM-to-module counters. [Take 0-2 arg(s)]
mswh-all          Show/clear all MSWH counters. [Take 0-2 arg(s)]
module-to-mswh    Show/clear module-to-MSWH counters. [Take 0-2 arg(s)]
mswh-to-hrx       Show/clear MSWH-to-HRX counter. [Take 0-2 arg(s)]

Diagnose command to show SSE drop counters:

diagnose npu np7 dce-sse-drop 0 v

Diagnose command to show command counters:

diagnose npu np7 cmd
all             Show/clear all command counters. [Take 0-2 arg(s)]
sse             Show/clear SSE command counters. [Take 0-2 arg(s)]
mse             Show/clear MSE command counters. [Take 0-2 arg(s)]
dse             Show/clear DSE command counters. [Take 0-2 arg(s)]
lpm-rlt         Show/clear LPM/RLT command counters. [Take 0-2 arg(s)]
rate            Show/clear command rate. [Take 0-2 arg(s)]
measure-rate    Enable/disable command rate measurement. [Take 0-1 arg(s)]
Previous
Next