Fortinet black logo

New Features

Enhance host protection engine

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:991167
Download PDF

Enhance host protection engine

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multiplers <m1>, <m2>, ... <m12>
end

status {enable | disable}

Enable/disable NPU HPE status monitoring.

interval <integer>

Set the NPU HPE status check interval, in seconds (1 - 60, default = 1).

multiplers <m1>, <m2>, ... <m12>

Set the HPE type interval multipliers (12 integers from 1 - 255, default = 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8).

  • m1: interval multiplier for maximum TCP SYN packet type.
  • m2: interval multiplier for maximum TCP SYN and ACK flags packet type.
  • m3: interval multiplier for maximum TCP carries SYN FIN or RST flags packet type.
  • m4: interval multiplier for maximum TCP packet type.
  • m5: interval multiplier for maximum UDP packet type.
  • m6: interval multiplier for maximum ICMP packet type.
  • m7: interval multiplier for maximum SCTP packet type.
  • m8: interval multiplier for maximum ESP packet type.
  • m9: interval multiplier for maximum fragmented IP packet type.
  • m10: interval multiplier for maximum other IP packet types.
  • m11: interval multiplier for maximum ARP packet type.
  • m12: interval multiplier for maximum L2 other packet types.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type.

An attack log is generated after every (4 × multiplier) number of continuous event logs.

HPE functionality is disabled by default. Users must enable HPE for the related NP6 chips and configure the desired packet rates that would trigger the HPE monitoring (see config system np6 in the FortiOS CLI Reference).

To configure HPE monitoring:
config monitoring npu-hpe
    set status enable
    set interval 1
    set multipliers 4 4 4 4 8 8 8 8 8 8 8 8
end
Sample logs
1: date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp  in NP6_0."
2: date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp  in NP6_0."
3: date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP6 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp  in NP6_0."

Enhance host protection engine

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multiplers <m1>, <m2>, ... <m12>
end

status {enable | disable}

Enable/disable NPU HPE status monitoring.

interval <integer>

Set the NPU HPE status check interval, in seconds (1 - 60, default = 1).

multiplers <m1>, <m2>, ... <m12>

Set the HPE type interval multipliers (12 integers from 1 - 255, default = 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8).

  • m1: interval multiplier for maximum TCP SYN packet type.
  • m2: interval multiplier for maximum TCP SYN and ACK flags packet type.
  • m3: interval multiplier for maximum TCP carries SYN FIN or RST flags packet type.
  • m4: interval multiplier for maximum TCP packet type.
  • m5: interval multiplier for maximum UDP packet type.
  • m6: interval multiplier for maximum ICMP packet type.
  • m7: interval multiplier for maximum SCTP packet type.
  • m8: interval multiplier for maximum ESP packet type.
  • m9: interval multiplier for maximum fragmented IP packet type.
  • m10: interval multiplier for maximum other IP packet types.
  • m11: interval multiplier for maximum ARP packet type.
  • m12: interval multiplier for maximum L2 other packet types.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type.

An attack log is generated after every (4 × multiplier) number of continuous event logs.

HPE functionality is disabled by default. Users must enable HPE for the related NP6 chips and configure the desired packet rates that would trigger the HPE monitoring (see config system np6 in the FortiOS CLI Reference).

To configure HPE monitoring:
config monitoring npu-hpe
    set status enable
    set interval 1
    set multipliers 4 4 4 4 8 8 8 8 8 8 8 8
end
Sample logs
1: date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp  in NP6_0."
2: date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP6 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp  in NP6_0."
3: date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP6 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp  in NP6_0."