Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

Monitoring NP7 HPE activity

You can use the following command to generate event log messages when the NP7 HPE blocks packets:

config monitoring npu-hpe

set status {disable | enable}

set interval <interval>

set multipliers <m1>, <m2>, ... <m12>

end

status enable or disable HPE status monitoring.

interval HPE status check interval in seconds. The range is 1 to 60 seconds. The default interval is 1 second.

multipliers set 12 multipliers to control how often an event log message is generated for each HPE packet type in the following order:

  • tcpsyn-max default 4

  • tcpsyn-ack-max default 4

  • tcpfin-rst-max default 4

  • tcp-max default 4

  • udp-max default 8

  • icmp-max default 8

  • sctp-max default 8

  • esp-max default 8

  • ip-frag-max default 8

  • ip-others-max default 8

  • arp-max default 8

  • l2-others-max default 8

An event log is generated after every (interval x multiplier) seconds for each HPE option when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.

An attack log message is generated after every (4 x multiplier) continuous event logs.

Example HPE monitoring configuration

config monitoring npu-hpe

set status enable

set interval 2

set multipliers 3 2 2 2 4 4 4 4 4 4 4 4

end

Monitor HPE activity without dropping packets

If you have enabled monitoring using the config monitoring npu-hpe command, you can use the following command to monitor HPE activity without causing the HPE to drop packets. This can be useful when testing HPE, allowing you to see how many packets the HPE would be dropping without actually affecting traffic.

diagnose npu np7 monitor-hpe {disable | enable}

This command is disabled by default. If you enable it, the HPE will not drop packets, but, if monitoring is enabled, will create log messages for packets that would have been dropped.

Since this is a diagnose command, monitoring the HPE without dropping packets will be disabled when the FortiGate restarts.

Sample HPE event log messages

date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP7 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp in NP7_0."

date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP7 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp in NP7_0."

date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP7 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp in NP7_0."

Monitoring NP7 HPE activity

You can use the following command to generate event log messages when the NP7 HPE blocks packets:

config monitoring npu-hpe

set status {disable | enable}

set interval <interval>

set multipliers <m1>, <m2>, ... <m12>

end

status enable or disable HPE status monitoring.

interval HPE status check interval in seconds. The range is 1 to 60 seconds. The default interval is 1 second.

multipliers set 12 multipliers to control how often an event log message is generated for each HPE packet type in the following order:

  • tcpsyn-max default 4

  • tcpsyn-ack-max default 4

  • tcpfin-rst-max default 4

  • tcp-max default 4

  • udp-max default 8

  • icmp-max default 8

  • sctp-max default 8

  • esp-max default 8

  • ip-frag-max default 8

  • ip-others-max default 8

  • arp-max default 8

  • l2-others-max default 8

An event log is generated after every (interval x multiplier) seconds for each HPE option when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.

An attack log message is generated after every (4 x multiplier) continuous event logs.

Example HPE monitoring configuration

config monitoring npu-hpe

set status enable

set interval 2

set multipliers 3 2 2 2 4 4 4 4 4 4 4 4

end

Monitor HPE activity without dropping packets

If you have enabled monitoring using the config monitoring npu-hpe command, you can use the following command to monitor HPE activity without causing the HPE to drop packets. This can be useful when testing HPE, allowing you to see how many packets the HPE would be dropping without actually affecting traffic.

diagnose npu np7 monitor-hpe {disable | enable}

This command is disabled by default. If you enable it, the HPE will not drop packets, but, if monitoring is enabled, will create log messages for packets that would have been dropped.

Since this is a diagnose command, monitoring the HPE without dropping packets will be disabled when the FortiGate restarts.

Sample HPE event log messages

date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP7 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp in NP7_0."

date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP7 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp in NP7_0."

date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP7 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp in NP7_0."