The HPE and changing BGP, SLBC, and BFD priority
Use the following command to adjust the priority of BGP, SLBC, and BFD packets received by NP6 processors to reduce the amount of this traffic allowed by the NP6 host protection engine (HPE).
config system npu
config priority-protocol
set bgp {disable | enable}
set slbc {disable | enable}
set bfd {disable | enable}
end
By default, all options are set to enable
and BGP, SLBC, and BFD packets are treated by the NP6 as high priority traffic and the HPE adds the HPE pri-type-max
overflow to the allowed packets per second for these traffic types. In some cases, the pri-type-max
overflow can allow excessive amounts of BGP, SLBC, and BFD traffic that can cause problems such as route flapping and CPU spikes. If you encounter this problem, or for other reasons you can use the config priority-protocol
command to set BGP, SLBC, or BFD traffic to low priority, bypassing the HPE pri-type-max
overflow. For more information about the NP6 HPE, see config hpe.
Changing these traffic types to low priority can cause problems if your FortiGate is actively processing traffic. Fortinet recommends that you make changes with this command during a maintenance window and then monitor your system to make sure its working properly once it gets busy again. |
If bgp
is set to enable
(the default), the HPE limits BGP syn packets to tcpsyn-max
+ pri-type-max
pps and limits other BGP traffic to tcp-max
+ pri-type-max
pps. If bgp
is set to disable
, the HPE limits BGP syn packets to tcpsyn-max
pps and other BGP traffic to tcp-max
pps. If your network is using the BGP protocol, you can keep this option enabled to allow for higher volumes of BGP traffic. If your network should not see any BGP traffic you can disable this option to limit BGP traffic to lower pps.
If slbc
is set to enable
(the default), the HPE limits SLBC traffic to udp-max
+ pri-type-max
pps. If slbc
is set to disable
, theHPE limits SLBC traffic to udp-max
pps. If your FortiGate is in a SLBC configuration, slbc
should be enabled. Otherwise you can choose to disable it.
If bfd
is set to enable
(the default), the HPE limits BFD traffic to udp-max
+ pri-type-max
pps. If bfd
is set to disable
, the HPE limits BFD traffic to udp-max
pps.