Enabling hyperscale firewall features
Use the following global command to enable hyperscale firewall features for your FortiGate:
config global
config system npu
set policy-offload-level full-offload
end
On a FortiGate-4800F or 4801F, in addition to enabling config system settings set policy-offload-level full-offload set npu-group-id {0 | 1 | 2 | 3} end You need to assign the NP7 processor group before adding any interfaces to the hyperscale firewall VDOM. Assigning an NP7 processor group is required because of the NP7 configuration of the FortiGate 4800F and 4801F. For more information, see Assigning an NP7 processor group to a hyperscale firewall VDOM. On a FortiGate 4800F or 4801F, hyperscale hardware logging can only send logs to interfaces in the same NP7 processor group as the NP7 processors that are handling the hyperscale sessions. This means that hyperscale hardware logging servers must include a hyperscale firewall VDOM. This VDOM must be assigned the same NP7 processor group as the hyperscale firewall VDOM that is processing the hyperscale traffic being logged. This can be the same hyperscale VDOM or another hyperscale firewall VDOM that is assigned the same NP7 processor group. For more information, see NP7 processor groups and hyperscale hardware logging. |
Once you have enabled global hyperscale firewall features, you must edit each hyperscale firewall VDOM and use the following command to enable hyperscale firewall features for that VDOM.
config system settings
set policy-offload-level full-offload
end
The following options are available for this command:
disable
disable hyperscale firewall features and disable offloading DoS policy sessions to NP7 processors for this VDOM. All sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors. This is the default setting.
dos-offload
offload DoS policy sessions to NP7 processors for this VDOM. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors.
full-offload
enable hyperscale firewall features for the current hyperscale firewall VDOM. This option is only available if the FortiGate is licensed for hyperscale firewall features. DoS policy sessions are also offloaded to NP7 processors. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors.
For more information about DoS policy hardware acceleration and how it varies depending on the policy offload level, see DoS policy hardware acceleration. |