Hyperscale firewall CLI changes

The following hyperscale firewall CLI commands are available:

Enable hyperscale firewall features

Use the following global command to enable hyperscale firewall features:

config system npu

set policy-offload-level full-offload

end

Use the following command to enable hyperscale firewall features for a VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.

Hyperscale firewall policy

The following hyperscale firewall policy commands are available in a hyperscale firewall VDOM:

config firewall hyperscale-policy

config firewall hyperscale-policy46

config firewall hyperscale-policy6

config firewall hyperscale-policy64

The policy, policy6, policy46, and policy64 commands appear in the CLI but they cannot be configured.

Here is the CLI syntax for the config firewall hyperscale-policy command:

config firewall hyperscale-policy

edit 1

set name <name>

set scrcintf <interface>

set dstintf <interface>

set scraddr <address>

set dstaddr <address>

set action {accept | deny}

set status {enable | disable|

set service <service>

set auto-asic-offload {enable | disable)

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

set cgn-log-server-grp <group-name>

set tcp-timeout-pid <profile>

set udp-timeout-pid <profile>

set ippool {disable | enable}

set poolname <cgn-ippool-name>

set comments <comment>

set srcaddr-negate {disable | enable}

set dstaddr-negate {disable | enable

set service-negate {disable | enable}

set traffic-shaper <shaper>

set traffic-shaper-reverse <shaper>

set nat {disable | enable}

end

CGN Resource allocation IP pools

You can use the following command to configure CGN Resource allocation IP pools:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

CGN Resource allocation IP pool groups

You can use the following command to create CGN Resource Allocation IP pool groups:

config firewall ippool_grp

edit <name>

set member <cgn-ippool> ...

end

Hardware logging

The following hardware logging commands are available:

config log npu-server

set log-processor {hardware | host}

set netflow-ver {v9 | v10}

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set server-number <number>

set server-start-id <number>

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end