Fortinet black logo

Hyperscale Firewall Guide

Setting the hyperscale firewall VDOM default policy action

Copy Link
Copy Doc ID d2d152b3-5935-11ed-96f0-fa163e15d75b:975522
Download PDF

Setting the hyperscale firewall VDOM default policy action

You can use the following system settings option for each hyperscale firewall VDOM to set the hyperscale firewall default policy action for that VDOM. The hyperscale policy default action determines what NP7 processors do with TCP and UDP packets that are not accepted by any hyperscale firewall policies.

config system settings

set hyperscale-default-policy-action {drop-on-hardware | forward-to-host}

end

drop-on-hardware the default setting, NP7 processors drop TCP and UDP packets that don't match a hyperscale firewall policy. In most cases you would not want to change this default setting since it means the CPU does not have to process TCP and UDP packets that don't match hyperscale firewall policies. In most cases, this option should reduce the number of packets sent to the CPU. With this option enabled, all other packet types (for example, ICMP packets) that don't match a hyperscale firewall policy are sent to the CPU. Packets accepted by session helpers are also sent to the CPU.

forward-to-host NP7 processors forward packets that don't match a hyperscale firewall policy to the CPU. If the packet is forwarded to the CPU, the packet will be matched with the policy list and eventually be subject to the implicit deny policy and dropped by the CPU. This setting can affect performance because the CPU would be handling these packets.

Setting the hyperscale firewall VDOM default policy action

You can use the following system settings option for each hyperscale firewall VDOM to set the hyperscale firewall default policy action for that VDOM. The hyperscale policy default action determines what NP7 processors do with TCP and UDP packets that are not accepted by any hyperscale firewall policies.

config system settings

set hyperscale-default-policy-action {drop-on-hardware | forward-to-host}

end

drop-on-hardware the default setting, NP7 processors drop TCP and UDP packets that don't match a hyperscale firewall policy. In most cases you would not want to change this default setting since it means the CPU does not have to process TCP and UDP packets that don't match hyperscale firewall policies. In most cases, this option should reduce the number of packets sent to the CPU. With this option enabled, all other packet types (for example, ICMP packets) that don't match a hyperscale firewall policy are sent to the CPU. Packets accepted by session helpers are also sent to the CPU.

forward-to-host NP7 processors forward packets that don't match a hyperscale firewall policy to the CPU. If the packet is forwarded to the CPU, the packet will be matched with the policy list and eventually be subject to the implicit deny policy and dropped by the CPU. This setting can affect performance because the CPU would be handling these packets.