Hyperscale firewall policy engine enhancements
Hyperscale Firewall 7.0.6 includes a re-worked hyperscale firewall policy engine. This section describes some of the features of the new policy engine and some limitations and implementation details of how it functions.
The NP7 hyperscale firewall policy engine is also called the Policy Lookup Engine (PLE). The PLE handles processing of all hyperscale firewall policies in all hyperscale firewall VDOMs. When the hyperscale firewall policy configuration changes, the PLE compiler creates a new policy database (also called a policy set) that is used by NP7 processors to apply hyperscale firewall and carrier grade NAT (CGN) features to offloaded traffic.
Hyperscale firewall policy maximum values
The following maximum values are global limits for all hyperscale VDOMs and are not per individual VDOMs. These maximum values have been tested for FortiOS 7.0.6 and may be changed in the future as the result of ongoing and future optimizations.
-
The maximum number of hyperscale firewall policies allowed in the policy database: 20,000.
-
The maximum number of IP-ranges specified by firewall addresses that can be added to a single hyperscale firewall policy: 2000.
-
The maximum number of IP-ranges that can be added to the firewall policy database: 32,000.
-
The maximum number of port-ranges specified by firewall addresses that can be added to a single hyperscale firewall policy: 1,000.
-
The maximum number of port-ranges that can be added to the firewall policy database: 4,000.
The maximum number of hyperscale firewall policies allowed in a VDOM is controlled by the maximum value for the number of firewall policies allowed per VDOM for your FortiGate. |
Additional considerations
The factors that affect whether a hyperscale policy database can be supported or not includes but are not limited to:
-
The total number of hyperscale firewall policies.
-
The total number of IP-ranges and port-ranges as defined by firewall addresses added to hyperscale firewall policies in the firewall policy database
-
The relationship between policies, such as how IP-ranges are distributed among hyperscale firewall policies.
It is possible to create a hyperscale policy database that is within the maximum values but cannot be supported. If this happens, FortiOS will create an error message when the policy database is compiled. If you receive an error message during policy compilation, contact Fortinet Support for assistance diagnosing and correcting the problem.
You can also create a policy database that exceeds some or all of the maximum values but can be successfully compiled. If you plan to create a configuration with one or more parameters close to or above their maximum values, you should contact Fortinet Support to review your configuration before deploying it.
It is a best practice to restart your FortiGate after making significant changes to a hyperscale policy database, especially if one or more parameters are close to or above their maximum values.
Hyperscale policy database complexity and performance
The complexity of your hyperscale firewall policy set affects how long it takes for your FortiGate to start up. In general, more complex policy databases result in longer start up times.
The complexity of your hyperscale firewall policy database also affects your FortiGate's hyperscale connections per second (CPS) performance. In general, more complex policy databases result in lower CPS performance.
How policy database changes are implemented while the FortiGate is processing traffic
The complexity of your hyperscale firewall policy database affects how long it takes after inputting a policy change before the updated policy database can be applied to new and established sessions. This period of time is called the preparation time.
During the preparation time, new sessions are evaluated with the current policy database.
Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed. |
After the preparation time, new sessions are evaluated with the new policy database. Established sessions are also re-evaluated with the new policy database . The time required to re-evaluate established sessions is called the transition time. CPS performance can be reduced during the transition time.
The transition time is affected by hyperscale policy database complexity, the total number of established sessions to be re-evaluated, and by the rate that the system is receiving new sessions.
During the transition time, FortiOS terminates an established session if:
-
The session is matched with a policy that has a different policy search key (for example, a different source IP range)or policy action.
-
The session is matched with the same policy but the policy includes a resource, such as an IP pool, that dynamically assigns a value (for example, an IP address) to the session and now it has to be returned because of the policy change.