Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Extend dedicated management CPU feature to 1U and desktop models 7.0.2

The dedicated management CPU feature ensures that CPU 0 is only used for management traffic. This feature, which was previously available for 2U models and higher, is now available on 1U and desktop models. Two settings must be configured to use this feature:

  • Enabling dedicated-management-cpu under config system npu prevents the NPU from hashing non-management traffic to CPU 0.
  • Enabling ips-reserve-cpu under config ips global prevents NTurbo and IPS from sending non-management traffic to CPU 0.
To configure dedicated CPU management:
  1. Configure the NPU setting:
    config system npu
        set dedicated-management-cpu enable
    end
  2. Configure the IPS global setting:
    config ips global
        set ips-reserve-cpu enable
    end
  3. Configure the firewall policy with IPS enabled:
    config firewall policy
        edit 1
            set srcintf "any"
            set dstintf "any"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ips-sensor "all_default"
        next
    end
  4. Once HTTP traffic passes through the FortiGate, verify that CPU 0 is not taking any traffic load:
    # get system performance status
    CPU states: 45% user 5% system 0% nice 36% idle 0% iowait 0% irq 14% softirq
    CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
    CPU1 states: 50% user 0% system 0% nice 2% idle 0% iowait 0% irq 48% softirq
    CPU2 states: 50% user 8% system 0% nice 31% idle 0% iowait 0% irq 11% softirq
    CPU3 states: 51% user 6% system 0% nice 33% idle 0% iowait 0% irq 10% softirq
    CPU4 states: 51% user 6% system 0% nice 31% idle 0% iowait 0% irq 12% softirq
    CPU5 states: 48% user 7% system 0% nice 31% idle 0% iowait 0% irq 14% softirq
    CPU6 states: 53% user 6% system 0% nice 31% idle 0% iowait 0% irq 10% softirq
    CPU7 states: 54% user 6% system 0% nice 32% idle 0% iowait 0% irq 8% softirq
    Memory: 3807328k total, 1224912k used (32.2%), 2243616k free (58.9%), 338800k freeable (8.9%)
    Average network usage: 57576 / 56881 kbps in 1 minute, 1112 / 0 kbps in 10 minutes, 757 / 0 kbps in 30 minutes
    Average sessions: 365 sessions in 1 minute, 6 sessions in 10 minutes, 6 sessions in 30 minutes
    Average session setup rate: 344 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
    Average NPU sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
    Average nTurbo sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
    Virus caught: 0 total in 1 minute
    IPS attacks blocked: 0 total in 1 minute
    Uptime: 0 days,  23 hours,  22 minutes

Extend dedicated management CPU feature to 1U and desktop models 7.0.2

The dedicated management CPU feature ensures that CPU 0 is only used for management traffic. This feature, which was previously available for 2U models and higher, is now available on 1U and desktop models. Two settings must be configured to use this feature:

  • Enabling dedicated-management-cpu under config system npu prevents the NPU from hashing non-management traffic to CPU 0.
  • Enabling ips-reserve-cpu under config ips global prevents NTurbo and IPS from sending non-management traffic to CPU 0.
To configure dedicated CPU management:
  1. Configure the NPU setting:
    config system npu
        set dedicated-management-cpu enable
    end
  2. Configure the IPS global setting:
    config ips global
        set ips-reserve-cpu enable
    end
  3. Configure the firewall policy with IPS enabled:
    config firewall policy
        edit 1
            set srcintf "any"
            set dstintf "any"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ips-sensor "all_default"
        next
    end
  4. Once HTTP traffic passes through the FortiGate, verify that CPU 0 is not taking any traffic load:
    # get system performance status
    CPU states: 45% user 5% system 0% nice 36% idle 0% iowait 0% irq 14% softirq
    CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
    CPU1 states: 50% user 0% system 0% nice 2% idle 0% iowait 0% irq 48% softirq
    CPU2 states: 50% user 8% system 0% nice 31% idle 0% iowait 0% irq 11% softirq
    CPU3 states: 51% user 6% system 0% nice 33% idle 0% iowait 0% irq 10% softirq
    CPU4 states: 51% user 6% system 0% nice 31% idle 0% iowait 0% irq 12% softirq
    CPU5 states: 48% user 7% system 0% nice 31% idle 0% iowait 0% irq 14% softirq
    CPU6 states: 53% user 6% system 0% nice 31% idle 0% iowait 0% irq 10% softirq
    CPU7 states: 54% user 6% system 0% nice 32% idle 0% iowait 0% irq 8% softirq
    Memory: 3807328k total, 1224912k used (32.2%), 2243616k free (58.9%), 338800k freeable (8.9%)
    Average network usage: 57576 / 56881 kbps in 1 minute, 1112 / 0 kbps in 10 minutes, 757 / 0 kbps in 30 minutes
    Average sessions: 365 sessions in 1 minute, 6 sessions in 10 minutes, 6 sessions in 30 minutes
    Average session setup rate: 344 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
    Average NPU sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
    Average nTurbo sessions: 358 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
    Virus caught: 0 total in 1 minute
    IPS attacks blocked: 0 total in 1 minute
    Uptime: 0 days,  23 hours,  22 minutes