Monitoring NP7 HPE activity
You can use the following command to generate event log messages when the NP7 HPE blocks packets:
config monitoring npu-hpe
set status {disable | enable}
set interval <interval>
set multipliers <m1>, <m2>, ... <m12>
end
status
enable or disable HPE status monitoring.
interval
HPE status check interval in seconds. The range is 1 to 60 seconds. The default interval is 1 second.
multipliers
set 12 multipliers to control how often an event log message is generated for each HPE packet type in the following order:
-
tcpsyn-max
default 4 -
tcpsyn-ack-max
default 4 -
tcpfin-rst-max
default 4 -
tcp-max
default 4 -
udp-max
default 8 -
icmp-max
default 8 -
sctp-max
default 8 -
esp-max
default 8 -
ip-frag-max
default 8 -
ip-others-max
default 8 -
arp-max
default 8 -
l2-others-max
default 8
An event log is generated after every (interval x
multiplier
) seconds for each HPE option when drops occur for that HPE type. Increase the interval or individual multipliers to generate fewer event log messages.
An attack log message is generated after every (4 x multiplier
) continuous event logs.
Example HPE monitoring configuration
config monitoring npu-hpe
set status enable
set interval 2
set multipliers 3 2 2 2 4 4 4 4 4 4 4 4
end
Monitor HPE activity without dropping packets
If you have enabled monitoring using the config monitoring npu-hpe
command, you can use the following command to monitor HPE activity without causing the HPE to drop packets. This can be useful when testing HPE, allowing you to see how many packets the HPE would be dropping without actually affecting traffic.
diagnose npu np7 monitor-hpe {disable | enable}
This command is disabled by default. If you enable it, the HPE will not drop packets, but, if monitoring is enabled, will create log messages for packets that would have been dropped.
Since this is a diagnose command, monitoring the HPE without dropping packets will be disabled when the FortiGate restarts.
Sample HPE event log messages
date=2021-01-13 time=16:00:01 eventtime=1610582401563369503 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP7 HPE is dropping packets" msg="NPU HPE module is stop dropping packet types of:udp in NP7_0."
date=2021-01-13 time=16:00:00 eventtime=1610582400562601540 tz="-0800" logid="0100034418" type="event" subtype="system" level="warning" vd="root" logdesc="NP7 HPE is dropping packets" msg="NPU HPE module is likely dropping packets of one or more of these types:udp in NP7_0."
date=2021-01-13 time=15:59:59 eventtime=1610582399558325686 tz="-0800" logid="0100034419" type="event" subtype="system" level="critical" vd="root" logdesc="NP7 HPE under a packets flood" msg="NPU HPE module is likely under attack of:udp in NP7_0."