Fortinet black logo

Hyperscale Firewall Guide

Adjusting NP7 hyperscale firewall blackhole and loopback route behavior

Adjusting NP7 hyperscale firewall blackhole and loopback route behavior

You can use the following diagnose command to configure how the NP7 hyperscale firewall policy engine handles traffic in a hyperscale firewall VDOM that matches a blackhole route or a loopback route. The NP7 policy engine is implemented by the NP7 npd process. By default the NP7 policy engine:

  • Drops traffic that matches a blackhole route (drop).

  • Sends traffic that matches a loopback route to the CPU (host).

You can use the following diagnose command to change this behavior. Because this is a diagnose command, any changes are reverted to defaults when the FortiGate restarts:

The command syntax is:

diagnose npd debug cmd 14 {28 | 29} {0 | 1 | 2}

28 configure how the NP7 policy engine handles traffic that matches a blackhole route.

29 configure how the NP7 policy engine handles traffic that matches a loopback route.

0 set blackhole or loopback route handling to ignore.

1 send traffic that matches a blackhole or loopback route to the CPU (host).

2 drop traffic that matches a blackhole or loopback route.

For example, use the following command to send traffic that matches a blackhole route to the CPU:

diagnose npd debug cmd 14 28 1

Use the following command to set loopback routing to drop:

diagnose npd debug cmd 14 29 2

Adjusting NP7 hyperscale firewall blackhole and loopback route behavior

You can use the following diagnose command to configure how the NP7 hyperscale firewall policy engine handles traffic in a hyperscale firewall VDOM that matches a blackhole route or a loopback route. The NP7 policy engine is implemented by the NP7 npd process. By default the NP7 policy engine:

  • Drops traffic that matches a blackhole route (drop).

  • Sends traffic that matches a loopback route to the CPU (host).

You can use the following diagnose command to change this behavior. Because this is a diagnose command, any changes are reverted to defaults when the FortiGate restarts:

The command syntax is:

diagnose npd debug cmd 14 {28 | 29} {0 | 1 | 2}

28 configure how the NP7 policy engine handles traffic that matches a blackhole route.

29 configure how the NP7 policy engine handles traffic that matches a loopback route.

0 set blackhole or loopback route handling to ignore.

1 send traffic that matches a blackhole or loopback route to the CPU (host).

2 drop traffic that matches a blackhole or loopback route.

For example, use the following command to send traffic that matches a blackhole route to the CPU:

diagnose npd debug cmd 14 28 1

Use the following command to set loopback routing to drop:

diagnose npd debug cmd 14 29 2