Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Release Notes

    Home FortiGate / FortiOS 6.2.9 Hyperscale Firewall Release Notes
    6.2.9
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    New config system npu options

    New config system npu options

    The following new options have been added to the config system npu command for NP7 platforms for FortiOS 6.2.9:

    config system npu

    set tcp-rst-timeout <timeout>

    set napi-break-interval <interval>

    set vlan-lookup-cache {disable | enable}

    set htab-msg-queue {data | idle | dedicated}

    set htab-dedi-queue-nr <number-of-queues>

    set double-level-mcast-offload {disable | enable}

    end

    tcp-rst-timeout the NP7 TCP reset (RST) timeout in seconds. The range is 0-16777215. The default timeout is 5 seconds. This timeout is optimal in most cases, especially when hyperscale firewall is enabled. A timeout of 0 means no time out.

    napi-break-interval set the new API ( NAPI) break interval. The range is 0 to 65535. The default interval is 0.

    vlan-lookup-cache enable or disable VLAN lookup (SPV/TPV) caching. Enable this option to optimize performance of NP7-offloaded traffic passing through VLAN interfaces. This option is disabled by default. Enabling or disabling vlan-lookup-cache requires a system restart. You should only change this setting during a maintenance window or quiet period.

    htab-msg-queue hash table message queue mode. You can use this option to alleviate performance bottlenecks that may occur when hash table messages use up all of the available hyperscale NP7 data queues.

    You can use the following commands to get the hash table message count and rate.

    diagnose npu np7 msg htab-stats {all| chip-id}

    diagnose npu np7 msg htab-rate {all| chip-id}

    You can use the following command to show MSWM information:

    diagnose npu np7 mswm

    You can use the following command to show Session Search Engine (SSE) drop counters:

    diagnose npu np7 dce-sse-drop 0 v

    You can use the following command to show command counters:

    diagnose npu np7 cmd

    The following htab-msg-queue options are available:

    • data (the default) use all available data queues.

    • idle if you notice the data queues are all in use, you can select this option to use idle queues for hash table messages.

    • dedicated use between 1 to 8 of the highest number data queues. Use the option htab-dedi-queue-nr to set the number of data queues to use.

    htab-dedi-queue-nr if you are using dedicated queues for hash table messages for hyperscale firewall sessions, you can set the number of queues to use. The range is 1 to 8 queues. The default is 4 queues.

    double-level-mcast-offload enable to support NP7 offloading for more than 256 destinations for multicast replication. By default this option is disabled and NP7 processors support up to 256 destinations for multicast replication. You can enable this option to effectively double the number.

    Message-related diagnose commands:

    diagnose npu np7 msg
summary          Show summary of message counters. [Take 0-1 arg(s)]
msg-by-mod       Show/clear message counters by source module. [Take 0-2 arg(s)]
msg-by-code      Show/clear message counters by message code. [Take 0-2 arg(s)]
msg-by-que       Show/clear message counters by RX queue. [Take 0-2 arg(s)]
msg-by-cpu       Show/clear message counters by CPU. [Take 0-2 arg(s)]
htab-stats       Show/clear hash table message counters. [Take 0-2 arg(s)]
htab-rate        Show/clear hash table message rate. [Take 0-2 arg(s)]
ipsec-stats      Show/clear IPSec message counters. [Take 0-2 arg(s)]
ipsec-rate       Show/clear IPSec message rate. [Take 0-2 arg(s)]
ipt-stats        Show/clear IP tunnel message counters. [Take 0-2 arg(s)]
ipt-rate         Show/clear IP tunnel message rate. [Take 0-2 arg(s)]
mse-stats        Show/clear MSE message counters. [Take 0-2 arg(s)]
mse-rate         Show/clear MSE message rate. [Take 0-2 arg(s)]
spath-stats      Show/clear hyperscale message counters. [Take 0-2 arg(s)]
spath-rate       Show/clear hyperscale message rate. [Take 0-2 arg(s)]
tpe-tce-stats    Show/clear TPC/TCE message counters. [Take 0-2 arg(s)]
tpe-tce-rate     Show/clear TPE/TCE message rate. [Take 0-2 arg(s)]

    MSWM diag commands.

    diagnose npu np7 mswm
mswm-all          Show/clear all MSWM counters. [Take 0-2 arg(s)]
module-to-mswm    Show/clear module-to-MSWM counters. [Take 0-2 arg(s)]
mswm-to-module    Show/clear MSWM-to-module counters. [Take 0-2 arg(s)]
mswh-all          Show/clear all MSWH counters. [Take 0-2 arg(s)]
module-to-mswh    Show/clear module-to-MSWH counters. [Take 0-2 arg(s)]
mswh-to-hrx       Show/clear MSWH-to-HRX counter. [Take 0-2 arg(s)]

    Diagnose command to show SSE drop counters:

    diagnose npu np7 dce-sse-drop 0 v

    Diagnose command to show command counters:

    diagnose npu np7 cmd
all             Show/clear all command counters. [Take 0-2 arg(s)]
sse             Show/clear SSE command counters. [Take 0-2 arg(s)]
mse             Show/clear MSE command counters. [Take 0-2 arg(s)]
dse             Show/clear DSE command counters. [Take 0-2 arg(s)]
lpm-rlt         Show/clear LPM/RLT command counters. [Take 0-2 arg(s)]
rate            Show/clear command rate. [Take 0-2 arg(s)]
measure-rate    Enable/disable command rate measurement. [Take 0-1 arg(s)]
    Previous
    Next

    New config system npu options

    New config system npu options

    The following new options have been added to the config system npu command for NP7 platforms for FortiOS 6.2.9:

    config system npu

    set tcp-rst-timeout <timeout>

    set napi-break-interval <interval>

    set vlan-lookup-cache {disable | enable}

    set htab-msg-queue {data | idle | dedicated}

    set htab-dedi-queue-nr <number-of-queues>

    set double-level-mcast-offload {disable | enable}

    end

    tcp-rst-timeout the NP7 TCP reset (RST) timeout in seconds. The range is 0-16777215. The default timeout is 5 seconds. This timeout is optimal in most cases, especially when hyperscale firewall is enabled. A timeout of 0 means no time out.

    napi-break-interval set the new API ( NAPI) break interval. The range is 0 to 65535. The default interval is 0.

    vlan-lookup-cache enable or disable VLAN lookup (SPV/TPV) caching. Enable this option to optimize performance of NP7-offloaded traffic passing through VLAN interfaces. This option is disabled by default. Enabling or disabling vlan-lookup-cache requires a system restart. You should only change this setting during a maintenance window or quiet period.

    htab-msg-queue hash table message queue mode. You can use this option to alleviate performance bottlenecks that may occur when hash table messages use up all of the available hyperscale NP7 data queues.

    You can use the following commands to get the hash table message count and rate.

    diagnose npu np7 msg htab-stats {all| chip-id}

    diagnose npu np7 msg htab-rate {all| chip-id}

    You can use the following command to show MSWM information:

    diagnose npu np7 mswm

    You can use the following command to show Session Search Engine (SSE) drop counters:

    diagnose npu np7 dce-sse-drop 0 v

    You can use the following command to show command counters:

    diagnose npu np7 cmd

    The following htab-msg-queue options are available:

    • data (the default) use all available data queues.

    • idle if you notice the data queues are all in use, you can select this option to use idle queues for hash table messages.

    • dedicated use between 1 to 8 of the highest number data queues. Use the option htab-dedi-queue-nr to set the number of data queues to use.

    htab-dedi-queue-nr if you are using dedicated queues for hash table messages for hyperscale firewall sessions, you can set the number of queues to use. The range is 1 to 8 queues. The default is 4 queues.

    double-level-mcast-offload enable to support NP7 offloading for more than 256 destinations for multicast replication. By default this option is disabled and NP7 processors support up to 256 destinations for multicast replication. You can enable this option to effectively double the number.

    Message-related diagnose commands:

    diagnose npu np7 msg
summary          Show summary of message counters. [Take 0-1 arg(s)]
msg-by-mod       Show/clear message counters by source module. [Take 0-2 arg(s)]
msg-by-code      Show/clear message counters by message code. [Take 0-2 arg(s)]
msg-by-que       Show/clear message counters by RX queue. [Take 0-2 arg(s)]
msg-by-cpu       Show/clear message counters by CPU. [Take 0-2 arg(s)]
htab-stats       Show/clear hash table message counters. [Take 0-2 arg(s)]
htab-rate        Show/clear hash table message rate. [Take 0-2 arg(s)]
ipsec-stats      Show/clear IPSec message counters. [Take 0-2 arg(s)]
ipsec-rate       Show/clear IPSec message rate. [Take 0-2 arg(s)]
ipt-stats        Show/clear IP tunnel message counters. [Take 0-2 arg(s)]
ipt-rate         Show/clear IP tunnel message rate. [Take 0-2 arg(s)]
mse-stats        Show/clear MSE message counters. [Take 0-2 arg(s)]
mse-rate         Show/clear MSE message rate. [Take 0-2 arg(s)]
spath-stats      Show/clear hyperscale message counters. [Take 0-2 arg(s)]
spath-rate       Show/clear hyperscale message rate. [Take 0-2 arg(s)]
tpe-tce-stats    Show/clear TPC/TCE message counters. [Take 0-2 arg(s)]
tpe-tce-rate     Show/clear TPE/TCE message rate. [Take 0-2 arg(s)]

    MSWM diag commands.

    diagnose npu np7 mswm
mswm-all          Show/clear all MSWM counters. [Take 0-2 arg(s)]
module-to-mswm    Show/clear module-to-MSWM counters. [Take 0-2 arg(s)]
mswm-to-module    Show/clear MSWM-to-module counters. [Take 0-2 arg(s)]
mswh-all          Show/clear all MSWH counters. [Take 0-2 arg(s)]
module-to-mswh    Show/clear module-to-MSWH counters. [Take 0-2 arg(s)]
mswh-to-hrx       Show/clear MSWH-to-HRX counter. [Take 0-2 arg(s)]

    Diagnose command to show SSE drop counters:

    diagnose npu np7 dce-sse-drop 0 v

    Diagnose command to show command counters:

    diagnose npu np7 cmd
all             Show/clear all command counters. [Take 0-2 arg(s)]
sse             Show/clear SSE command counters. [Take 0-2 arg(s)]
mse             Show/clear MSE command counters. [Take 0-2 arg(s)]
dse             Show/clear DSE command counters. [Take 0-2 arg(s)]
lpm-rlt         Show/clear LPM/RLT command counters. [Take 0-2 arg(s)]
rate            Show/clear command rate. [Take 0-2 arg(s)]
measure-rate    Enable/disable command rate measurement. [Take 0-1 arg(s)]
    Previous
    Next