Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Enhance host protection engine

    Enhance host protection engine

    The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

    config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multiplers <m1>, <m2>, ... <m12>
end

    status {enable | disable}

    Enable/disable NPU HPE status monitoring.

    interval <integer>

    Set the NPU HPE status check interval, in seconds (1 - 60, default = 1).

    multiplers <m1>, <m2>, ... <m12>

    Set the HPE type interval multipliers (12 integers from 1 - 255, default = 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8).

    • m1: interval multiplier for maximum TCP SYN packet type.
    • m2: interval multiplier for maximum TCP SYN and ACK flags packet type.
    • m3: interval multiplier for maximum TCP carries SYN FIN or RST flags packet type.
    • m4: interval multiplier for maximum TCP packet type.
    • m5: interval multiplier for maximum UDP packet type.
    • m6: interval multiplier for maximum ICMP packet type.
    • m7: interval multiplier for maximum SCTP packet type.
    • m8: interval multiplier for maximum ESP packet type.
    • m9: interval multiplier for maximum fragmented IP packet type.
    • m10: interval multiplier for maximum other IP packet types.
    • m11: interval multiplier for maximum ARP packet type.
    • m12: interval multiplier for maximum L2 other packet types.

    An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type.

    An attack log is generated after every (4 × multiplier) number of continuous event logs.

    HPE functionality is disabled by default. Users must enable HPE for the related NP6 chips and configure the desired packet rates that would trigger the HPE monitoring (see config system np6 in the FortiOS CLI Reference).

    To configure HPE monitoring:
    config monitoring npu-hpe
    set status enable
    set interval 1
    set multipliers 4 4 4 4 8 8 8 8 8 8 8 8
end
    Sample logs 
    1: date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp  in NP6_0."
    2: date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp  in NP6_0."
    3: date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP6 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp  in NP6_0."
    Previous
    Next

    Enhance host protection engine

    Enhance host protection engine

    The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

    config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multiplers <m1>, <m2>, ... <m12>
end

    status {enable | disable}

    Enable/disable NPU HPE status monitoring.

    interval <integer>

    Set the NPU HPE status check interval, in seconds (1 - 60, default = 1).

    multiplers <m1>, <m2>, ... <m12>

    Set the HPE type interval multipliers (12 integers from 1 - 255, default = 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8).

    • m1: interval multiplier for maximum TCP SYN packet type.
    • m2: interval multiplier for maximum TCP SYN and ACK flags packet type.
    • m3: interval multiplier for maximum TCP carries SYN FIN or RST flags packet type.
    • m4: interval multiplier for maximum TCP packet type.
    • m5: interval multiplier for maximum UDP packet type.
    • m6: interval multiplier for maximum ICMP packet type.
    • m7: interval multiplier for maximum SCTP packet type.
    • m8: interval multiplier for maximum ESP packet type.
    • m9: interval multiplier for maximum fragmented IP packet type.
    • m10: interval multiplier for maximum other IP packet types.
    • m11: interval multiplier for maximum ARP packet type.
    • m12: interval multiplier for maximum L2 other packet types.

    An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type.

    An attack log is generated after every (4 × multiplier) number of continuous event logs.

    HPE functionality is disabled by default. Users must enable HPE for the related NP6 chips and configure the desired packet rates that would trigger the HPE monitoring (see config system np6 in the FortiOS CLI Reference).

    To configure HPE monitoring:
    config monitoring npu-hpe
    set status enable
    set interval 1
    set multipliers 4 4 4 4 8 8 8 8 8 8 8 8
end
    Sample logs 
    1: date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp  in NP6_0."
    2: date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp  in NP6_0."
    3: date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP6 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp  in NP6_0."
    Previous
    Next