Fortinet white logo
Fortinet white logo

FortiGate-7000F Administration Guide

FortiGate-7000F NP7 processors support offloading DoS policies

FortiGate-7000F NP7 processors support offloading DoS policies

The FortiGate-7000F supports using the NP7 processors in the FPMs to offload DoS firewall policy sessions. DoS policies are offloaded when the policy-offload-level option of the cofig system npu command is set to dos-ofload:

config system npu

set policy-offload-level {dos-offload | full-offload}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

end

Note

This configuration is only available for the FortiGate-7000F. The FortiGate-7000F does not support hyperscale firewall features (you cannot set policy-offload-level to full-offload).

disable is the default setting. Offloading DoS policy sessions to NP7 processors is disabled. All sessions are initiated by the CPU. Sessions that can be offloaded are sent to the NP7 processors in the FPMs.

dos-offload offload DoS policy sessions to the NP7 processors in the FPMs. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors in the FPMs.

npu-dos-meter-mode select global (the default) to configure DoS metering across all NP7 processors. Select local to configure metering per NP7 processor.

DoS metering controls how the threshold for each configured anomaly is distributed among NP7 processors. For example, for an FPM with two NP7 processors and the tcp_syn_flood anomaly threshold set to 400. If npu-dos-meter-mode is set to global, the threshold of 400 is divided between the NP7 processors and the tcp_syn_flood threshold would be set to 200 for each NP7 (for a total threshold of 400 for the FPM). If npu-dos-meter-mode is set to local, then each NP7 would have a threshold of 400 (for a total threshold of 800 for a the FPM).

npu-dos-tpe-mode select enable (the default) to insert the dos meter ID into the session table. Select disable if you don't want to insert the DoS meter into the session table. If set to enable, UDP_FLOOD and ICMP_FLOOD DoS protection applies to offloaded sessions. If set to disable, UDP_FLOOD and ICMP_FLOOD DoS protection will not apply to offloaded sessions.

FortiGate-7000F NP7 processors support offloading DoS policies

FortiGate-7000F NP7 processors support offloading DoS policies

The FortiGate-7000F supports using the NP7 processors in the FPMs to offload DoS firewall policy sessions. DoS policies are offloaded when the policy-offload-level option of the cofig system npu command is set to dos-ofload:

config system npu

set policy-offload-level {dos-offload | full-offload}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

end

Note

This configuration is only available for the FortiGate-7000F. The FortiGate-7000F does not support hyperscale firewall features (you cannot set policy-offload-level to full-offload).

disable is the default setting. Offloading DoS policy sessions to NP7 processors is disabled. All sessions are initiated by the CPU. Sessions that can be offloaded are sent to the NP7 processors in the FPMs.

dos-offload offload DoS policy sessions to the NP7 processors in the FPMs. All other sessions are initiated by the CPU. Sessions that can be offloaded are sent to NP7 processors in the FPMs.

npu-dos-meter-mode select global (the default) to configure DoS metering across all NP7 processors. Select local to configure metering per NP7 processor.

DoS metering controls how the threshold for each configured anomaly is distributed among NP7 processors. For example, for an FPM with two NP7 processors and the tcp_syn_flood anomaly threshold set to 400. If npu-dos-meter-mode is set to global, the threshold of 400 is divided between the NP7 processors and the tcp_syn_flood threshold would be set to 200 for each NP7 (for a total threshold of 400 for the FPM). If npu-dos-meter-mode is set to local, then each NP7 would have a threshold of 400 (for a total threshold of 800 for a the FPM).

npu-dos-tpe-mode select enable (the default) to insert the dos meter ID into the session table. Select disable if you don't want to insert the DoS meter into the session table. If set to enable, UDP_FLOOD and ICMP_FLOOD DoS protection applies to offloaded sessions. If set to disable, UDP_FLOOD and ICMP_FLOOD DoS protection will not apply to offloaded sessions.