Fortinet black logo

Hardware Acceleration

NP7 Host Protection Engine (HPE)

NP7 Host Protection Engine (HPE)

The NP7 host protection engine (HPE) uses NP7 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP7 processors from overloading the FortiGate CPU.

You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds. You can enable HPE monitoring to record log messages when the HPE drops packets. You can also run the HPE with monitoring enabled but without dropping packets. Using these tools you can monitor HPE activity and set HPE threshold values that are low enough to protect the CPU and high enough to not impact legitimate traffic.

The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection.

You can use the following command to configure the HPE.

config system npu

config hpe

set enable-shaper {disable | enable}

set all-protocol <packets-per-second>

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

end

NP7 Host Protection Engine (HPE)

The NP7 host protection engine (HPE) uses NP7 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP7 processors from overloading the FortiGate CPU.

You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds. You can enable HPE monitoring to record log messages when the HPE drops packets. You can also run the HPE with monitoring enabled but without dropping packets. Using these tools you can monitor HPE activity and set HPE threshold values that are low enough to protect the CPU and high enough to not impact legitimate traffic.

The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection.

You can use the following command to configure the HPE.

config system npu

config hpe

set enable-shaper {disable | enable}

set all-protocol <packets-per-second>

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

end