Version:

Version:

Version:

Version:


Table of Contents

Hyperscale Firewall Guide

Download PDF
Copy Link

Hyperscale firewall policy engine mechanics

The NP7 hyperscale firewall policy engine is also called the Policy Lookup Engine (PLE). The PLE handles processing of all hyperscale firewall policies in all hyperscale firewall VDOMs. When the hyperscale firewall policy configuration changes, the PLE compiler creates a new policy database or policy set that is used by NP7 processors to apply hyperscale firewall and carrier grade NAT (CGN) features to offloaded traffic.

Hyperscale policy maximum values

The following maximum values are global limits for all hyperscale VDOMs and are not per individual VDOMs. These maximum values have been tested for FortiOS 7.0.6 and may be changed in the future as the result of ongoing and future optimizations.

  • The maximum number of hyperscale policies allowed: 20,000.

  • The maximum number of IP-ranges allowed per policy: 2000.

  • The maximum number of IP-ranges allowed: 32,000.

  • The maximum number of port-ranges allowed per policy: 1,000.

  • The maximum number of port-ranges allowed: 4,000.

Hyperscale policy set mechanics

The factors that affect whether a hyperscale policy set that you create can be supported or not includes but are not limited to:

  • The total number of hyperscale policies.

  • The total number of IP-ranges and port-ranges.

  • The relationship between policies, such as how IP-ranges are distributed among policies.

You can create a hyperscale policy set that is within the maximum values but cannot be supported. If this happens, FortiOS will create an error message when the policy set is compiled. If you receive an error message during policy compilation, contact Fortinet Support for assistance diagnosing and correcting the problem.

You can create a policy set that exceeds some or all of the maximum values but can be successfully compiled. If you plan to create a configuration with one or more parameters close to or above their maximum values, you should contact Fortinet Support to review your configuration before deploying it.

It is a best practice to restart your FortiGate after making significant changes to a hyperscale policy set, especially if one or more parameters are close to or above their maximum values.

Hyperscale policy set complexity and performance

The complexity of your hyperscale firewall policy set affects how long it takes for your FortiGate to start up. In general, more complex policy sets result in longer start up times.

The complexity of your hyperscale firewall policy set affects your FortiGate's hyperscale connections per second (CPS) performance. In general, more complex policy sets result in lower CPS performance.

How hyperscale policy transitions

The complexity of your hyperscale firewall policy set affects how long it takes after inputting a policy change before the updated policy set can be applied to new and established sessions. This period of time is called the preparation time.

During the preparation time, new sessions are evaluated with the current policy set.

After the preparation time, new sessions are evaluated with the new policy set and established sessions are re-evaluated with the new policy set. The time required to re-evaluate established sessions is called the transition time.

The transition time is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions. CPS performance can also be reduced during the transition time.

During the transition time, FortiOS terminates an established session if:

  • The session is matched with a policy that has a different policy search key (for example, a different source IP range)or policy action.

  • The session is matched with the same policy but the policy includes a resource, such as an IP pool, that dynamically assigns a value (for example, an IP address) to the session and now it has to be returned because of the policy change.

Hyperscale firewall policy engine mechanics

The NP7 hyperscale firewall policy engine is also called the Policy Lookup Engine (PLE). The PLE handles processing of all hyperscale firewall policies in all hyperscale firewall VDOMs. When the hyperscale firewall policy configuration changes, the PLE compiler creates a new policy database or policy set that is used by NP7 processors to apply hyperscale firewall and carrier grade NAT (CGN) features to offloaded traffic.

Hyperscale policy maximum values

The following maximum values are global limits for all hyperscale VDOMs and are not per individual VDOMs. These maximum values have been tested for FortiOS 7.0.6 and may be changed in the future as the result of ongoing and future optimizations.

  • The maximum number of hyperscale policies allowed: 20,000.

  • The maximum number of IP-ranges allowed per policy: 2000.

  • The maximum number of IP-ranges allowed: 32,000.

  • The maximum number of port-ranges allowed per policy: 1,000.

  • The maximum number of port-ranges allowed: 4,000.

Hyperscale policy set mechanics

The factors that affect whether a hyperscale policy set that you create can be supported or not includes but are not limited to:

  • The total number of hyperscale policies.

  • The total number of IP-ranges and port-ranges.

  • The relationship between policies, such as how IP-ranges are distributed among policies.

You can create a hyperscale policy set that is within the maximum values but cannot be supported. If this happens, FortiOS will create an error message when the policy set is compiled. If you receive an error message during policy compilation, contact Fortinet Support for assistance diagnosing and correcting the problem.

You can create a policy set that exceeds some or all of the maximum values but can be successfully compiled. If you plan to create a configuration with one or more parameters close to or above their maximum values, you should contact Fortinet Support to review your configuration before deploying it.

It is a best practice to restart your FortiGate after making significant changes to a hyperscale policy set, especially if one or more parameters are close to or above their maximum values.

Hyperscale policy set complexity and performance

The complexity of your hyperscale firewall policy set affects how long it takes for your FortiGate to start up. In general, more complex policy sets result in longer start up times.

The complexity of your hyperscale firewall policy set affects your FortiGate's hyperscale connections per second (CPS) performance. In general, more complex policy sets result in lower CPS performance.

How hyperscale policy transitions

The complexity of your hyperscale firewall policy set affects how long it takes after inputting a policy change before the updated policy set can be applied to new and established sessions. This period of time is called the preparation time.

During the preparation time, new sessions are evaluated with the current policy set.

After the preparation time, new sessions are evaluated with the new policy set and established sessions are re-evaluated with the new policy set. The time required to re-evaluate established sessions is called the transition time.

The transition time is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions. CPS performance can also be reduced during the transition time.

During the transition time, FortiOS terminates an established session if:

  • The session is matched with a policy that has a different policy search key (for example, a different source IP range)or policy action.

  • The session is matched with the same policy but the policy includes a resource, such as an IP pool, that dynamically assigns a value (for example, an IP address) to the session and now it has to be returned because of the policy change.