NP6 HPE host protection engine
The NP6 host protection engine (HPE) uses NP6 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP6 processors from overloading the FortiGate CPU.
You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds. You can enable HPE monitoring to record log messages when the HPE drops packets. You can also run the HPE with monitoring enabled but without dropping packets. Using these tools you can monitor HPE activity and set HPE threshold values that are low enough to protect the CPU and high enough to not impact legitimate traffic.
The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.
DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection. DoS policy sessions are not offloaded by NP6 processors.
You can use the following command to configure the HPE.
config system {np6 | np6xlite | np6lite}
edit <np6-processor-name>
config hpe
set enable-shaper {disable | enable}
set tcpsyn-max <packets-per-second>
set tcpsyn-ack-max <packets-per-second>
set tcpfin-rst-max <packets-per-second>
set tcp-max <packets-per-second>
set udp-max <packets-per-second>
set icmp-max <packets-per-second>
set sctp-max <packets-per-second>
set esp-max <packets-per-second>
set ip-frag-max <packets-per-second>
set ip-others-max <packets-per-second>
set arp-max <packets-per-second>
set l2-others-max <packets-per-second>
set pri-type-max <packets-per-second>
end
You can use HPE monitoring to verify how many packets the HPE is actually dropping. See Monitoring NP6 HPE activity. You can also use the diagnose npu np6 monitor-hpe
command to monitor HPE activity without dropping packets. See Monitor HPE activity without dropping packets.
The HPE also includes an overflow option for high-priority traffic, see NP6 HPE and high priority traffic.
For more information about the NP6 HPE, see this Fortinet KB article:Technical Note: Host Protection Engine (HPE) feature overview.