Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hyperscale firewall 7.2.3 incompatibilities and limitations

Hyperscale firewall 7.2.3 incompatibilities and limitations

Hyperscale firewall for FortiOS 7.2.3 has the following limitations and incompatibilities with FortiOS features:

  • Proxy or flow based inspection is not supported. You cannot include security profiles in hyperscale firewall policies.
  • Single-sign-on authentication including FSSO and RSSO is not supported. Other types of authentication are supported.
  • IPsec VPN is not supported. You cannot create hyperscale firewall policies where one of the interfaces is an IPsec VPN interface.
  • Hyperscale firewall VDOMs do not support Central NAT.
  • Hyperscale firewall VDOMs do not support Policy-based NGFW Mode.
  • Hyperscale firewall VDOMs must be NAT mode VDOMs. Hyperscale firewall features are not supported for transparent mode VDOMs.

  • Hyperscale firewall VDOMs do not support traffic shaping policies or profiles. Only outbandwidth traffic shaping is supported for hyperscale firewall VDOMs.

  • Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. See NP7 traffic shaping.
  • Hyperscale firewall VDOMs do not support traffic that requires session helpers or ALGs (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH).

  • Active-Active FGCP HA and FGSP do not support HA hardware session synchronization. Active-passive FGCP HA and virtual clustering do support FGCP HA hardware session synchronization.
  • Asymmetric sessions are not supported.
  • ECMP usage-based load balancing is not supported. Traffic is not directed to routes with lower spillover-thresholds.
  • The Sessions dashboard widget does not display hyperscale firewall sessions.
  • Interface device identification should not be enabled on interfaces that send or receive hyperscale firewall traffic.
  • The proxy action is not supported for DoS policy anomalies when your FortiGate is licensed for hyperscale firewall features. When you activate a hyperscale firewall license, the proxy option is removed from the CLI of both hyperscale VDOMs and normal VDOMs.

  • Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.

  • During normal operation, UDP sessions from protocols that use FortiOS session helpers are processed by the CPU. After an FGCP HA failover, when the UDP session helper sessions are re-established, they will not be identified as session helper sessions and instead will be offloaded to the NP7 processors.

  • When operating an FGCP HA cluster with session synchronization enabled, some of the sessions accepted by an IPv4 or a NAT64 hyperscale firewall policy with an overload IP pool may not be synchronized to the secondary FortiGate. Some sessions are not synchronized because of resource conflicts and retries. The session loss rate depends on the percentage of resource retries during session setup. You can reduce the session loss by making sure the IP pool has as many IP addresses and ports as possible.

  • If hardware logging is configured to send log messages directly from NP7 processors (log-processor is set to hardware) (also called log2hw) and the log server group is configured to send log messages at the start and end of each session (log-mode is set to per-session), hardware logging may send multiple session start log messages, each with a different start time. Creating multiple session start log messages is a limitation of NP7 processor hardware logging, caused by the NP7 processor creating extra session start messages if session updates occur. You can work around this issue by:

    • Setting log-mode to per-session-ending. This setting creates a single log message when the session ends. This log message records the time the session ended as well as the duration of the session. This information can be used to calculate the session start time.

    • Setting log-processor to host (also called log2host). Host hardware logging removes duplicate log start messages created by the NP7 processor. Host logging may reduce performance.

  • The following options are not supported for IPv4 firewall VIPs (configured with the config firewall vip command) in hyperscale firewall VDOMs: src-filter, service, nat44, nat46, nat-source-vip, arp-reply, portforward, and srcintf-filter.

  • The following options are not supported for port forwarding IPv6 firewall VIPs (configured with the config firewall vip6 command) in hyperscale firewall VDOMs: src-filter, nat-source-vip, arp-reply, portforward, nat66, and nat64.

    Note

    Even though the arp-reply CLI option is not supported for IPv4 and IPv6 firewall VIPs, responding to ARP requests for IP addresses in a virtual IP is supported. What is not supported is using the arp-reply option to disable responding to an ARP request.

Hyperscale firewall 7.2.3 incompatibilities and limitations

Hyperscale firewall 7.2.3 incompatibilities and limitations

Hyperscale firewall for FortiOS 7.2.3 has the following limitations and incompatibilities with FortiOS features:

  • Proxy or flow based inspection is not supported. You cannot include security profiles in hyperscale firewall policies.
  • Single-sign-on authentication including FSSO and RSSO is not supported. Other types of authentication are supported.
  • IPsec VPN is not supported. You cannot create hyperscale firewall policies where one of the interfaces is an IPsec VPN interface.
  • Hyperscale firewall VDOMs do not support Central NAT.
  • Hyperscale firewall VDOMs do not support Policy-based NGFW Mode.
  • Hyperscale firewall VDOMs must be NAT mode VDOMs. Hyperscale firewall features are not supported for transparent mode VDOMs.

  • Hyperscale firewall VDOMs do not support traffic shaping policies or profiles. Only outbandwidth traffic shaping is supported for hyperscale firewall VDOMs.

  • Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. See NP7 traffic shaping.
  • Hyperscale firewall VDOMs do not support traffic that requires session helpers or ALGs (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH).

  • Active-Active FGCP HA and FGSP do not support HA hardware session synchronization. Active-passive FGCP HA and virtual clustering do support FGCP HA hardware session synchronization.
  • Asymmetric sessions are not supported.
  • ECMP usage-based load balancing is not supported. Traffic is not directed to routes with lower spillover-thresholds.
  • The Sessions dashboard widget does not display hyperscale firewall sessions.
  • Interface device identification should not be enabled on interfaces that send or receive hyperscale firewall traffic.
  • The proxy action is not supported for DoS policy anomalies when your FortiGate is licensed for hyperscale firewall features. When you activate a hyperscale firewall license, the proxy option is removed from the CLI of both hyperscale VDOMs and normal VDOMs.

  • Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.

  • During normal operation, UDP sessions from protocols that use FortiOS session helpers are processed by the CPU. After an FGCP HA failover, when the UDP session helper sessions are re-established, they will not be identified as session helper sessions and instead will be offloaded to the NP7 processors.

  • When operating an FGCP HA cluster with session synchronization enabled, some of the sessions accepted by an IPv4 or a NAT64 hyperscale firewall policy with an overload IP pool may not be synchronized to the secondary FortiGate. Some sessions are not synchronized because of resource conflicts and retries. The session loss rate depends on the percentage of resource retries during session setup. You can reduce the session loss by making sure the IP pool has as many IP addresses and ports as possible.

  • If hardware logging is configured to send log messages directly from NP7 processors (log-processor is set to hardware) (also called log2hw) and the log server group is configured to send log messages at the start and end of each session (log-mode is set to per-session), hardware logging may send multiple session start log messages, each with a different start time. Creating multiple session start log messages is a limitation of NP7 processor hardware logging, caused by the NP7 processor creating extra session start messages if session updates occur. You can work around this issue by:

    • Setting log-mode to per-session-ending. This setting creates a single log message when the session ends. This log message records the time the session ended as well as the duration of the session. This information can be used to calculate the session start time.

    • Setting log-processor to host (also called log2host). Host hardware logging removes duplicate log start messages created by the NP7 processor. Host logging may reduce performance.

  • The following options are not supported for IPv4 firewall VIPs (configured with the config firewall vip command) in hyperscale firewall VDOMs: src-filter, service, nat44, nat46, nat-source-vip, arp-reply, portforward, and srcintf-filter.

  • The following options are not supported for port forwarding IPv6 firewall VIPs (configured with the config firewall vip6 command) in hyperscale firewall VDOMs: src-filter, nat-source-vip, arp-reply, portforward, nat66, and nat64.

    Note

    Even though the arp-reply CLI option is not supported for IPv4 and IPv6 firewall VIPs, responding to ARP requests for IP addresses in a virtual IP is supported. What is not supported is using the arp-reply option to disable responding to an ARP request.