Fortinet black logo

Version:

7.4.0
7.2.0
7.0.0

Version:

6.4.0
6.2.0

Table of Contents

New Features

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Download PDF
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:297791
Copy Link

Extend dedicated management CPU feature to 1U and desktop models 7.0.2

The dedicated management CPU feature ensures that CPU 0 is only used for management traffic. This feature, which was previously available for 2U models and higher, is now available on 1U and desktop models. Two settings must be configured to use this feature:

  • Enabling dedicated-management-cpu under config system npu prevents the NPU from hashing non-management traffic to CPU 0.
  • Enabling ips-reserve-cpu under config ips global prevents NTurbo and IPS from sending non-management traffic to CPU 0.
To configure dedicated CPU management:
  1. Configure the NPU setting:
    config system npu
    set dedicated-management-cpu enable
end
  2. Configure the IPS global setting:
    config ips global
    set ips-reserve-cpu enable
end
  3. Configure the firewall policy with IPS enabled:
    config firewall policy
    edit 1
        set srcintf "any"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ips-sensor "all_default"
    next
end
  4. Once HTTP traffic passes through the FortiGate, verify that CPU 0 is not taking any traffic load:
    # get system performance status
CPU states: 45% user 5% system 0% nice 36% idle 0% iowait 0% irq 14% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU1 states: 50% user 0% system 0% nice 2% idle 0% iowait 0% irq 48% softirq
CPU2 states: 50% user 8% system 0% nice 31% idle 0% iowait 0% irq 11% softirq
CPU3 states: 51% user 6% system 0% nice 33% idle 0% iowait 0% irq 10% softirq
CPU4 states: 51% user 6% system 0% nice 31% idle 0% iowait 0% irq 12% softirq
CPU5 states: 48% user 7% system 0% nice 31% idle 0% iowait 0% irq 14% softirq
CPU6 states: 53% user 6% system 0% nice 31% idle 0% iowait 0% irq 10% softirq
CPU7 states: 54% user 6% system 0% nice 32% idle 0% iowait 0% irq 8% softirq
Memory: 3807328k total, 1224912k used (32.2%), 2243616k free (58.9%), 338800k freeable (8.9%)
Average network usage: 57576 / 56881 kbps in 1 minute, 1112 / 0 kbps in 10 minutes, 757 / 0 kbps in 30 minutes
Average sessions: 365 sessions in 1 minute, 6 sessions in 10 minutes, 6 sessions in 30 minutes
Average session setup rate: 344 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Average NPU sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Average nTurbo sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 0 days,  23 hours,  22 minutes
Previous
Next

Extend dedicated management CPU feature to 1U and desktop models 7.0.2

The dedicated management CPU feature ensures that CPU 0 is only used for management traffic. This feature, which was previously available for 2U models and higher, is now available on 1U and desktop models. Two settings must be configured to use this feature:

  • Enabling dedicated-management-cpu under config system npu prevents the NPU from hashing non-management traffic to CPU 0.
  • Enabling ips-reserve-cpu under config ips global prevents NTurbo and IPS from sending non-management traffic to CPU 0.
To configure dedicated CPU management:
  1. Configure the NPU setting:
    config system npu
    set dedicated-management-cpu enable
end
  2. Configure the IPS global setting:
    config ips global
    set ips-reserve-cpu enable
end
  3. Configure the firewall policy with IPS enabled:
    config firewall policy
    edit 1
        set srcintf "any"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ips-sensor "all_default"
    next
end
  4. Once HTTP traffic passes through the FortiGate, verify that CPU 0 is not taking any traffic load:
    # get system performance status
CPU states: 45% user 5% system 0% nice 36% idle 0% iowait 0% irq 14% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU1 states: 50% user 0% system 0% nice 2% idle 0% iowait 0% irq 48% softirq
CPU2 states: 50% user 8% system 0% nice 31% idle 0% iowait 0% irq 11% softirq
CPU3 states: 51% user 6% system 0% nice 33% idle 0% iowait 0% irq 10% softirq
CPU4 states: 51% user 6% system 0% nice 31% idle 0% iowait 0% irq 12% softirq
CPU5 states: 48% user 7% system 0% nice 31% idle 0% iowait 0% irq 14% softirq
CPU6 states: 53% user 6% system 0% nice 31% idle 0% iowait 0% irq 10% softirq
CPU7 states: 54% user 6% system 0% nice 32% idle 0% iowait 0% irq 8% softirq
Memory: 3807328k total, 1224912k used (32.2%), 2243616k free (58.9%), 338800k freeable (8.9%)
Average network usage: 57576 / 56881 kbps in 1 minute, 1112 / 0 kbps in 10 minutes, 757 / 0 kbps in 30 minutes
Average sessions: 365 sessions in 1 minute, 6 sessions in 10 minutes, 6 sessions in 30 minutes
Average session setup rate: 344 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Average NPU sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Average nTurbo sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 0 days,  23 hours,  22 minutes
Previous
Next