Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 7.4.2 Hardware Acceleration
    7.4.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    DoS policy hardware acceleration

    DoS policy hardware acceleration

    DoS policy hardware acceleration offloads processing required for IPv4 and IPv6 DoS policies, interface policies, and access control list (ACL) policies to NP7 processors. Sessions for these types of policies bypass the CPU and are sent directly to NP7 processors.

    Use the following command to enable DoS policy offloading:

    config system settings

    set policy-offload-level dos-offload

    end

    This command enable DoS policy hardware acceleration for the FortiGate or for the current VDOM if multiple VDOMs are enabled.

    You can also use the following command to configure some DoS policy hardware acceleration options:

    config system npu

    config dos-options

    set npu-dos-meter-mode {global | local}

    set npu-dos-tpe-mode {disable | enable}

    end

    npu-dos-meter-mode select global (the default) to configure DoS metering across all NP7 processors. Select local to configure metering per NP7 processor.

    DoS metering controls how the threshold for each configured anomaly is distributed among NP7 processors. For example, for a FortiGate with four NP7 processors and the tcp_syn_flood anomaly threshold set to 400. If npu-dos-meter-mode is set to global, the threshold of 400 is divided between the NP7 processors and the tcp_syn_flood threshold would be set to 100 for each NP7 (for a total threshold of 400 for the FortiGate). If npu-dos-meter-mode is set to local, then each NP7 would have a threshold of 400 (for a total threshold of 1600 for a FortiGate with four NP7 processors).

    npu-dos-tpe-mode select enable (the default) to insert the dos meter ID into the session table. Select disable if you don't want to insert the DoS meter into the session table. If set to enable, UDP_FLOOD and ICMP_FLOOD DoS protection applies to offloaded sessions. If set to disable, UDP_FLOOD and ICMP_FLOOD DoS protection will not apply to offloaded sessions.

    NP7 DoS offloading does not offload processing for all DoS policy anomalies. The following table shows that some anomaly sessions are offloaded to NP7 processors and some are handled by the CPU. In addition, when full-offload is enabled, more types of anomaly processing are handled by NP7 processors than when dos-offload is selected.

    NP7 processors offload DoS sessions differently depending on the policy offload level:

    DoS policy anomaly dos-offload selected full-offload selected
    tcp_syn_flood NP7 NP7
    tcp_port_scan NP7 NP7
    tcp_src_session NP7 NP7
    tcp_dst_session NP7 NP7
    udp_flood NP7 NP7
    udp_scan CPU NP7
    udp_src_session CPU NP7
    udp_dst_session CPU NP7
    icmp_flood NP7 NP7
    icmp_sweep CPU CPU
    icmp_src_session CPU CPU
    icmp_dst_session CPU CPU
    ip_src_session TCP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. TCP and UDP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU.
    ip_dst_session TCP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. TCP and UDP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU.
    sctp_flood CPU, because the NP7 processor can only send sctp-init packets to MSE CPU
    sctp_scan CPU CPU
    sctp_src_session CPU CPU
    sctp_dst_session CPU CPU
    Previous
    Next

    DoS policy hardware acceleration

    DoS policy hardware acceleration

    DoS policy hardware acceleration offloads processing required for IPv4 and IPv6 DoS policies, interface policies, and access control list (ACL) policies to NP7 processors. Sessions for these types of policies bypass the CPU and are sent directly to NP7 processors.

    Use the following command to enable DoS policy offloading:

    config system settings

    set policy-offload-level dos-offload

    end

    This command enable DoS policy hardware acceleration for the FortiGate or for the current VDOM if multiple VDOMs are enabled.

    You can also use the following command to configure some DoS policy hardware acceleration options:

    config system npu

    config dos-options

    set npu-dos-meter-mode {global | local}

    set npu-dos-tpe-mode {disable | enable}

    end

    npu-dos-meter-mode select global (the default) to configure DoS metering across all NP7 processors. Select local to configure metering per NP7 processor.

    DoS metering controls how the threshold for each configured anomaly is distributed among NP7 processors. For example, for a FortiGate with four NP7 processors and the tcp_syn_flood anomaly threshold set to 400. If npu-dos-meter-mode is set to global, the threshold of 400 is divided between the NP7 processors and the tcp_syn_flood threshold would be set to 100 for each NP7 (for a total threshold of 400 for the FortiGate). If npu-dos-meter-mode is set to local, then each NP7 would have a threshold of 400 (for a total threshold of 1600 for a FortiGate with four NP7 processors).

    npu-dos-tpe-mode select enable (the default) to insert the dos meter ID into the session table. Select disable if you don't want to insert the DoS meter into the session table. If set to enable, UDP_FLOOD and ICMP_FLOOD DoS protection applies to offloaded sessions. If set to disable, UDP_FLOOD and ICMP_FLOOD DoS protection will not apply to offloaded sessions.

    NP7 DoS offloading does not offload processing for all DoS policy anomalies. The following table shows that some anomaly sessions are offloaded to NP7 processors and some are handled by the CPU. In addition, when full-offload is enabled, more types of anomaly processing are handled by NP7 processors than when dos-offload is selected.

    NP7 processors offload DoS sessions differently depending on the policy offload level:

    DoS policy anomaly dos-offload selected full-offload selected
    tcp_syn_flood NP7 NP7
    tcp_port_scan NP7 NP7
    tcp_src_session NP7 NP7
    tcp_dst_session NP7 NP7
    udp_flood NP7 NP7
    udp_scan CPU NP7
    udp_src_session CPU NP7
    udp_dst_session CPU NP7
    icmp_flood NP7 NP7
    icmp_sweep CPU CPU
    icmp_src_session CPU CPU
    icmp_dst_session CPU CPU
    ip_src_session TCP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. TCP and UDP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU.
    ip_dst_session TCP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU. TCP and UDP sessions are offloaded to NP7 processors. Other sessions are handled by the CPU.
    sctp_flood CPU, because the NP7 processor can only send sctp-init packets to MSE CPU
    sctp_scan CPU CPU
    sctp_src_session CPU CPU
    sctp_dst_session CPU CPU
    Previous
    Next