Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hyperscale firewall GUI changes

Hyperscale firewall GUI changes

A hyperscale firewall VDOM has the following GUI changes:

Firewall policies include hyperscale options

To add a hyperscale firewall policy, go to Policy & Objects > Firewall Policy and select Create New and configure the hyperscale firewall policy as required.

You can select Log Hyperscale SPU Offload Traffic to enable hyperscale firewall logging for all of the traffic accepted by the policy that is offloaded to NP7 processors.

IPv4 and NAT64 NAT hyperscale firewall policies can include CGN resource allocation IP Pools and other CGN options.

Firewall policies in Hyperscale VDOMs do not support UTM or NGFW features.

Note

The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

CGN and hardware logging options in a hyperscale firewall policy

IPv4 CGN resource allocation IP pools and groups

You can configure CGN resource allocation IP pools to add carrier grade NAT features to IPv4 or NAT64 hyperscale firewall policies. Go to Policy & Objects > IP Pools, select Create New > IP Pool, and set IP Pool Type to IPv4 IP Pool. Then set Type to CGN Resource Allocation and select a Mode.

You can also create CGN IP pool groups by going to Create New > CGN IP Pool Group.

Hyperscale hardware logging servers

You can set up multiple hyperscale hardware logging servers and add them to server groups. This is a global feature and all hyperscale VDOMs can use these globally configured servers. To configure hardware logging, from the Global GUI, go to Log & Report > Hyperscale SPU Offload Log Settings.

Hyperscale firewall GUI changes

Hyperscale firewall GUI changes

A hyperscale firewall VDOM has the following GUI changes:

Firewall policies include hyperscale options

To add a hyperscale firewall policy, go to Policy & Objects > Firewall Policy and select Create New and configure the hyperscale firewall policy as required.

You can select Log Hyperscale SPU Offload Traffic to enable hyperscale firewall logging for all of the traffic accepted by the policy that is offloaded to NP7 processors.

IPv4 and NAT64 NAT hyperscale firewall policies can include CGN resource allocation IP Pools and other CGN options.

Firewall policies in Hyperscale VDOMs do not support UTM or NGFW features.

Note

The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

CGN and hardware logging options in a hyperscale firewall policy

IPv4 CGN resource allocation IP pools and groups

You can configure CGN resource allocation IP pools to add carrier grade NAT features to IPv4 or NAT64 hyperscale firewall policies. Go to Policy & Objects > IP Pools, select Create New > IP Pool, and set IP Pool Type to IPv4 IP Pool. Then set Type to CGN Resource Allocation and select a Mode.

You can also create CGN IP pool groups by going to Create New > CGN IP Pool Group.

Hyperscale hardware logging servers

You can set up multiple hyperscale hardware logging servers and add them to server groups. This is a global feature and all hyperscale VDOMs can use these globally configured servers. To configure hardware logging, from the Global GUI, go to Log & Report > Hyperscale SPU Offload Log Settings.