Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hyperscale Firewall Guide

Hyperscale firewall CLI changes

The following hyperscale firewall CLI commands are available:

Enable hyperscale firewall features

Use the following global command to enable hyperscale firewall features:

config system npu

set policy-offload-level full-offload

end

Use the following command to enable hyperscale firewall features for a VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.

Firewall policies include hyperscale options

For any firewall policy in a hyperscale firewall VDOM, you can use the cgn-log-server-grp option to enable hyperscale firewall logging for all of the traffic accepted by the policy that is offloaded to NP7 processors.

IPv4 and NAT64 NAT hyperscale firewall policies can include the following CGN resource allocation options. You can also add CGN resource allocation IP pools to these policies.

config firewall policy

edit 1

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

end

Firewall policies in Hyperscale VDOMs do not support UTM or NGFW features.

CGN Resource allocation IP pools

You can use the following command to configure CGN Resource allocation IP pools:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

CGN Resource allocation IP pool groups

You can use the following command to create CGN Resource Allocation IP pool groups:

config firewall ippool_grp

edit <name>

set member <cgn-ippool> ...

end

Hardware logging

The following hardware logging commands are available:

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set syslog-facility <facility>

set syslog-severity <severity>

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end

Hyperscale firewall CLI changes

The following hyperscale firewall CLI commands are available:

Enable hyperscale firewall features

Use the following global command to enable hyperscale firewall features:

config system npu

set policy-offload-level full-offload

end

Use the following command to enable hyperscale firewall features for a VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.

Firewall policies include hyperscale options

For any firewall policy in a hyperscale firewall VDOM, you can use the cgn-log-server-grp option to enable hyperscale firewall logging for all of the traffic accepted by the policy that is offloaded to NP7 processors.

IPv4 and NAT64 NAT hyperscale firewall policies can include the following CGN resource allocation options. You can also add CGN resource allocation IP pools to these policies.

config firewall policy

edit 1

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

end

Firewall policies in Hyperscale VDOMs do not support UTM or NGFW features.

CGN Resource allocation IP pools

You can use the following command to configure CGN Resource allocation IP pools:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

CGN Resource allocation IP pool groups

You can use the following command to create CGN Resource Allocation IP pool groups:

config firewall ippool_grp

edit <name>

set member <cgn-ippool> ...

end

Hardware logging

The following hardware logging commands are available:

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set syslog-facility <facility>

set syslog-severity <severity>

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end