DoS policy hardware acceleration
DoS policy hardware acceleration offloads processing required for IPv4 and IPv6 DoS policies, interface policies, and access control list (ACL) policies to NP7 processors.
Use the following command to configure DoS policy offloading:
config system npu
set policy-offload-level {dos-offload | full-offload}
config dos-options
set npu-dos-meter-mode {global | local}
set npu-dos-tpe-mode {disable | enable}
end
policy-offload-level
can be set to dos-offload
or full-offload
to support DoS policy hardware acceleration. full-offload
is only available if your FortiGate is licensed for hyperscale firewall.
npu-dos-meter-mode
select global
(the default) to configure DoS metering across all NP7 processors. Select local
to configure metering per NP7 processor.
DoS metering controls how the threshold for each configured anomaly is distributed among NP7 processors. For example, for a FortiGate with four NP7 processors and the tcp_syn_flood
anomaly threshold set to 400. If npu-dos-meter-mode
is set to global
, the threshold of 400 is divided between the NP7 processors and the tcp_syn_flood
threshold would be set to 100 for each NP7 (for a total threshold of 400 for the FortiGate). If npu-dos-meter-mode
is set to local
, then each NP7 would have a threshold of 400 (for a total threshold of 1600 for a FortiGate with four NP7 processors).
npu-dos-tpe-mode
select enable
(the default) to insert the dos meter ID into the session table. Select disable
if you don't want to insert the DoS meter into the session table. If set to enable, UDP_FLOOD and ICMP_FLOOD DoS protection applies to offloaded sessions. If set to disable, UDP_FLOOD and ICMP_FLOOD DoS protection will not apply to offloaded sessions.
NP7 DoS offloading does not offload processing for all DoS policy anomalies. The following table shows that some anomaly sessions are offloaded to NP7 processors and some are handled by the CPU. In addition, when full-offload
is enabled, more types of anomaly processing are handled by NP7 processors than when dos-offload
is selected.
NP7 processors offload DoS sessions differently depending on the policy offload level:
DoS policy anomaly | dos-offload selected | full-offload selected |
---|---|---|
tcp_syn_flood | NP7 | NP7 |
tcp_port_scan | NP7 | NP7 |
tcp_src_session | NP7 | NP7 |
tcp_dst_session | NP7 | NP7 |
udp_flood | NP7 | NP7 |
udp_scan | CPU | NP7 |
udp_src_session | CPU | NP7 |
udp_dst_session | CPU | NP7 |
icmp_flood | NP7 | NP7 |
icmp_sweep | CPU | CPU |
icmp_src_session | CPU | CPU |
icmp_dst_session | CPU | CPU |
ip_src_session | TCP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. | TCP and UDP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. |
ip_dst_session | TCP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. | TCP and UDP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. |
sctp_flood | CPU, because the NP7 processor can only send sctp-init packets to MSE | CPU |
sctp_scan | CPU | CPU |
sctp_src_session | CPU | CPU |
sctp_dst_session | CPU | CPU |