Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Enabling hyperscale firewall features

Enabling hyperscale firewall features

Use the following global command to enable hyperscale firewall features for your FortiGate:

config global

config system npu

set policy-offload-level full-offload

end

Once you have enabled global hyperscale firewall features, you must edit each hyperscale firewall VDOM and use the following command to enable hyperscale firewall features for that VDOM.

config system settings

set policy-offload-level full-offload

end

Note

On a FortiGate-4800F or 4801F, in addition to enabling full-offload for the hyperscale firewall VDOM, you also need to assign an NP7 processor group to the hyperscale firewall VDOM:

config system settings

set policy-offload-level full-offload

set npu-group-id {0 | 1 | 2 | 3}

end

You need to assign the NP7 processor group before adding any interfaces to the hyperscale firewall VDOM. Assigning an NP7 processor group is required because of the NP7 configuration of the FortiGate 4800F and 4801F. For more information, see Assigning an NP7 processor group to a hyperscale firewall VDOM.

On a FortiGate 4800F or 4801F, hyperscale hardware logging can only send logs to interfaces in the same NP7 processor group as the NP7 processors that are handling the hyperscale sessions.

This means that hyperscale hardware logging servers must include a hyperscale firewall VDOM. This VDOM must be assigned the same NP7 processor group as the hyperscale firewall VDOM that is processing the hyperscale traffic being logged. This can be the same hyperscale VDOM or another hyperscale firewall VDOM that is assigned the same NP7 processor group. For more information, see NP7 processor groups and hyperscale hardware logging.

The following options are available for this command:

disable disable hyperscale firewall features and disable offloading DoS policy sessions to NP7 processors for this VDOM. All sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors. This is the default setting.

dos-offload offload DoS policy sessions to NP7 processors for this VDOM. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors.

full-offload enable hyperscale firewall features for the current hyperscale firewall VDOM. This option is only available if the FortiGate is licensed for hyperscale firewall features. DoS policy sessions are also offloaded to NP7 processors. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors.

Note

For more information about DoS policy hardware acceleration and how it varies depending on the policy offload level, see DoS policy hardware acceleration.

Enabling hyperscale firewall features

Enabling hyperscale firewall features

Use the following global command to enable hyperscale firewall features for your FortiGate:

config global

config system npu

set policy-offload-level full-offload

end

Once you have enabled global hyperscale firewall features, you must edit each hyperscale firewall VDOM and use the following command to enable hyperscale firewall features for that VDOM.

config system settings

set policy-offload-level full-offload

end

Note

On a FortiGate-4800F or 4801F, in addition to enabling full-offload for the hyperscale firewall VDOM, you also need to assign an NP7 processor group to the hyperscale firewall VDOM:

config system settings

set policy-offload-level full-offload

set npu-group-id {0 | 1 | 2 | 3}

end

You need to assign the NP7 processor group before adding any interfaces to the hyperscale firewall VDOM. Assigning an NP7 processor group is required because of the NP7 configuration of the FortiGate 4800F and 4801F. For more information, see Assigning an NP7 processor group to a hyperscale firewall VDOM.

On a FortiGate 4800F or 4801F, hyperscale hardware logging can only send logs to interfaces in the same NP7 processor group as the NP7 processors that are handling the hyperscale sessions.

This means that hyperscale hardware logging servers must include a hyperscale firewall VDOM. This VDOM must be assigned the same NP7 processor group as the hyperscale firewall VDOM that is processing the hyperscale traffic being logged. This can be the same hyperscale VDOM or another hyperscale firewall VDOM that is assigned the same NP7 processor group. For more information, see NP7 processor groups and hyperscale hardware logging.

The following options are available for this command:

disable disable hyperscale firewall features and disable offloading DoS policy sessions to NP7 processors for this VDOM. All sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors. This is the default setting.

dos-offload offload DoS policy sessions to NP7 processors for this VDOM. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors.

full-offload enable hyperscale firewall features for the current hyperscale firewall VDOM. This option is only available if the FortiGate is licensed for hyperscale firewall features. DoS policy sessions are also offloaded to NP7 processors. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors.

Note

For more information about DoS policy hardware acceleration and how it varies depending on the policy offload level, see DoS policy hardware acceleration.