Enabling or disabling per-policy accounting for hyperscale firewall traffic
Per-policy accounting for hyperscale firewall traffic was added to hyperscale firewall for FortiOS 6.2.7. This change was documented as resolved issue 689660 (Policy hit counters have been implemented for hyperscale firewall policies), in the Resolved issues section of the FortiOS 6.2.7 hyperscale firewall release notes. Per-policy accounting was added to be able to record hit counts for packets accepted or denied by hyperscale firewall policies.
To implement per-policy accounting for hyperscale firewall policies, changes were made to NP7 session management. As a result of these changes, per-policy accounting for hyperscale firewall policies can reduce hyperscale firewall performance.
Hyperscale firewall for FortiOS 6.4.8 includes the following command that you can use to enable or disable hyperscale firewall per-policy accounting for all hyperscale traffic:
config system npu
set per-policy-accounting {disable | enable}
end
Per-policy accounting is disabled by default. When per-policy accounting is enabled, you can see hyperscale firewall policy hit counts on the GUI and CLI. If you disable per-policy-accouting for hyperscale firewall traffic, FortiOS will not collect hit count information for traffic accepted or denied by hyperscale firewall policies.
Enabling or disabling per-policy accounting deletes all current sessions, disrupting traffic. Changing the per-policy accounting configuration should only be done during a quiet period. |