Fortinet Document Library

Version:

Version:


Table of Contents

Hyperscale Firewall Guide

Download PDF
Copy Link

Hyperscale firewall CLI changes

The following hyperscale firewall CLI commands are available:

Enable hyperscale firewall features

Use the following global command to enable hyperscale firewall features:

config system npu

set policy-offload-level full-offload

end

Use the following command to enable hyperscale firewall features for a VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.

Hyperscale firewall policy

The following hyperscale firewall policy commands are available in a hyperscale firewall VDOM:

config firewall hyperscale-policy

config firewall hyperscale-policy46

config firewall hyperscale-policy6

config firewall hyperscale-policy64

The policy, policy6, policy46, and policy64 commands appear in the CLI but they cannot be configured.

Note

If you are upgrading your hyperscale firewall configuration from FortiOS 6.2.5 to 6.2.6 you must re-configure all of your hyperscale firewall policies using the new 6.2.6 hyperscale firewall policies.

Here is the CLI syntax for the config firewall hyperscale-policy command:

config firewall hyperscale-policy

edit 1

set name <name>

set scrcintf <interface>

set dstintf <interface>

set scraddr <address>

set dstaddr <address>

set action {accept | deny}

set status {enable | disable|

set service <service>

set auto-asic-offload {enable | disable)

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

set cgn-log-server-grp <group-name>

set tcp-timeout-pid <profile>

set udp-timeout-pid <profile>

set ippool {disable | enable}

set poolname <cgn-ippool-name>

set comments <comment>

set srcaddr-negate {disable | enable}

set dstaddr-negate {disable | enable

set service-negate {disable | enable}

set traffic-shaper <shaper>

set traffic-shaper-reverse <shaper>

set nat {disable | enable}

end

CGN Resource allocation IP pools

You can use the following command to configure CGN Resource allocation IP pools:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

CGN Resource allocation IP pool groups

You can use the following command to create CGN Resource Allocation IP pool groups:

config firewall ippool_grp

edit <name>

set member <cgn-ippool> ...

end

Hardware logging

The following hardware logging commands are available:

config log npu-server

set log-processor {hardware | host}

set netflow-ver {v9 | v10}

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set server-number <number>

set server-start-id <number>

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end

Hyperscale firewall CLI changes

The following hyperscale firewall CLI commands are available:

Enable hyperscale firewall features

Use the following global command to enable hyperscale firewall features:

config system npu

set policy-offload-level full-offload

end

Use the following command to enable hyperscale firewall features for a VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.

Hyperscale firewall policy

The following hyperscale firewall policy commands are available in a hyperscale firewall VDOM:

config firewall hyperscale-policy

config firewall hyperscale-policy46

config firewall hyperscale-policy6

config firewall hyperscale-policy64

The policy, policy6, policy46, and policy64 commands appear in the CLI but they cannot be configured.

Note

If you are upgrading your hyperscale firewall configuration from FortiOS 6.2.5 to 6.2.6 you must re-configure all of your hyperscale firewall policies using the new 6.2.6 hyperscale firewall policies.

Here is the CLI syntax for the config firewall hyperscale-policy command:

config firewall hyperscale-policy

edit 1

set name <name>

set scrcintf <interface>

set dstintf <interface>

set scraddr <address>

set dstaddr <address>

set action {accept | deny}

set status {enable | disable|

set service <service>

set auto-asic-offload {enable | disable)

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

set cgn-log-server-grp <group-name>

set tcp-timeout-pid <profile>

set udp-timeout-pid <profile>

set ippool {disable | enable}

set poolname <cgn-ippool-name>

set comments <comment>

set srcaddr-negate {disable | enable}

set dstaddr-negate {disable | enable

set service-negate {disable | enable}

set traffic-shaper <shaper>

set traffic-shaper-reverse <shaper>

set nat {disable | enable}

end

CGN Resource allocation IP pools

You can use the following command to configure CGN Resource allocation IP pools:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

CGN Resource allocation IP pool groups

You can use the following command to create CGN Resource Allocation IP pool groups:

config firewall ippool_grp

edit <name>

set member <cgn-ippool> ...

end

Hardware logging

The following hardware logging commands are available:

config log npu-server

set log-processor {hardware | host}

set netflow-ver {v9 | v10}

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set server-number <number>

set server-start-id <number>

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end