Configuring NP7 processors
You can use the config system npu
command to configure a wide range of settings for the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.
More options for configuring NP7 processors are available if your FortiGate is licensed for Hyperscale firewall features. This section includes information about all of the hyperscale-specific NP7 processor options.
FortiGates with hyperscale firewall licenses also allow you to enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.
The settings that you configure with the config system npu
command apply to all NP7 processors and traffic processed by all interfaces connected to NP7 processors. This includes the physical interfaces connected to the NP7 processors as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processors.
config system npu
set dedicated-management-cpu {disable | enable}
set ipsec-ob-np-sel {rr | Packet | Hash}
set npu-group-effective-scope { 0 | 1 | 2 | 3 | 255}
set hash-config {src-dst-ip | 5-tuple | scr-ip}
set pba-eim {disallow | allow}
set ippool-overload-low <threshold>
set ippool-overload-high <threshold>
set dse-timeout <seconds>
set hw-ha-scan-interval <seconds>
set ple-non-syn-tcp-action {drop | forward}
set tcp-rst-timeout <timeout>
set default-tcp-refresh-dir {both | outgoing | incoming}
set default-udp-refresh-dir {both | outgoing | incoming}
set prp-session-clear-mode {blocking | non-blocking | do-not-clear}
set spa-port-select-mode (direct | random}
set pba-port-select-mode (direct | random}
set spa-port-select-mode
set pba-port-select-mode
set napi-break-interval <interval>
set nss-threads-option {4T-EIF | 4T-NOEIF | 2T}
set capwap-offload {disable | enable}
set vxlan-offload {disable | enable}
set default-qos-type policing
set shaping-stats {disable | enable}
set gtp-support {disable | enable}
set per-session-accounting {disable | enable | traffic-log-only}
set session-acct-interval <seconds>
set per-policy-accounting {disable | enable}
set max-session-timeout <seconds>
set hash-tbl-spread {disable | enable}
set vlan-lookup-cache {disable | enable}
set ip-fragment-offload {disable | enable}
set htx-icmp-csum-chk {drop | pass}
set htab-msg-queue {data | idle | dedicated}
set htab-dedi-queue-nr <number-of-queues>
set qos-mode {disable | piority | round-robin}
set inbound-dscp-copy-port <interface> [<interface> ...]
set double-level-mcast-offload {disable | enable}
set qtm-buf-mode {6ch | 4ch}
set max-receive-unit <unit>
set ull-port-mode {10G | 25G}
config port-npu-map
edit <interface-name>
set npu-group-index <index>
config port-path-option
set ports-using-npu {ha1 ha2 aux1 aux2}
config dos-options
set npu-dos-meter-mode {global | local}
set npu-dos-tpe-mode {disable | enable}
config tcp-timeout-profile
edit {5 | 6 | 7 | ... | 47}
set tcp-idle <seconds>
set fin-wait <seconds>
set close-wait <seconds>
set time-wait <seconds>
set syn-sent <seconds>
set syn-wait <seconds>
config udp-timeout-profile
edit {5 | 6 | 7 | ... | 63}
set udp-idle <seconds>
config background-sse-scan
set scan {disable | enable}
set scan-stale {0 | 1}
set scan-vt <bit>.
set stats-update-interval <interval>
set stats-qual-access <qualification>
set stats-qual-duration <duration>
set udp-keepalive-interval <interval>
set udp-qual-access <qualification>
set udp-qual-duration <qualification>
config sse-ha-scan configure driver HA scan for SSE.
set gap Scanning message gap(0~32767, default 200)
config hpe
set all-protocol <packets-per-second> Maximum packet rate of each host queue except high priority traffic(1K - 32M pps, default = 400K pps), set 0 to disable.
set tcpsyn-max <packets-per-second>
set tcpsyn-ack-max <packets-per-second>
set tcpfin-rst-max <packets-per-second>
set tcp-max <packets-per-second>
set udp-max <packets-per-second>a
set icmp-max <packets-per-second>
set sctp-max <packets-per-second>
set esp-max <packets-per-second>
set ip-frag-max <packets-per-second>
set ip-others-max <packets-per-second>
set arp-max <packets-per-second>
set l2-others-max <packets-per-second>
set high-priority <packets-per-second>
set enable-shaper {disable | enable}
config fp-anomaly
set tcp-syn-fin {allow | drop | trap-to-host}
set tcp-fin-noack {allow | drop | trap-to-host}
set tcp-fin-only {allow | drop | trap-to-host}
set tcp-no-flag {allow | drop | trap-to-host}
set tcp-syn-data {allow | drop | trap-to-host}
set tcp-winnuke {allow | drop | trap-to-host}
set tcp-land {allow | drop | trap-to-host}
set udp-land {allow | drop | trap-to-host}
set icmp-land {allow | drop | trap-to-host}
set icmp-frag {allow | drop | trap-to-host}
set ipv4-land {allow | drop | trap-to-host}
set ipv4-proto-err {allow | drop | trap-to-host}
set ipv4-unknopt {allow | drop | trap-to-host}
set ipv4-optrr {allow | drop | trap-to-host}
set ipv4-optssrr {allow | drop | trap-to-host}
set ipv4-optlsrr {allow | drop | trap-to-host}
set ipv4-optstream {allow | drop | trap-to-host}
set ipv4-optsecurity {allow | drop | trap-to-host}
set ipv4-opttimestamp {allow | drop | trap-to-host}
set ipv4-csum-err {drop | trap-to-host}
set tcp-csum-err {drop | trap-to-host}
set udp-csum-err {drop | trap-to-host}
set icmp-csum-err {drop | trap-to-host}
set ipv6-land {allow | drop | trap-to-host}
set ipv6-proto-err {allow | drop | trap-to-host}
set ipv6-unknopt {allow | drop | trap-to-host}
set ipv6-saddr-err {allow | drop | trap-to-host}
set ipv6-daddr-err {allow | drop | trap-to-host}
set ipv6-optralert {allow | drop | trap-to-host}
set ipv6-optjumbo {allow | drop | trap-to-host}
set ipv6-opttunnel {allow | drop | trap-to-host}
set ipv6-opthomeaddr {allow | drop | trap-to-host}
set ipv6-optnsap {allow | drop | trap-to-host}
set ipv6-optendpid {allow | drop | trap-to-host}
set ipv6-optinvld {allow | drop | trap-to-host}
config ip-reassembly
set min_timeout <micro-seconds>
set max_timeout <micro-seconds>
set status {disable | enable}
config dsw-dts-profile
edit <profile-id>
set min-limit <limit>
set step <number>
set action {wait | drop | drop_tmr_0 | drop_tmr_1 | enque | enque_0 | enque_1 }
config dsw-queue-dts-profile
edit <profile-name>
set iport <iport>
set oport <oport>
set profile-id <profile-id>
set queue-select <queue-id>
config np-queues
config profile
edit <profile-id>
set type {cos | dscp}
set weight <weight>
set {cos0 | cos1 | ... | cos7} {queue0 | queue1 | ... | queue7}
set {dscp0 | dscp1 | ... | dscp63} {queue0 | queue1 | ... | queue7}
end
config ethernet-type
edit <ethernet-type-name>
set type <ethertype>
set queue <queue>
set weight <weight>
config ip-protocol
edit <protocol-name>
set protocol <ip-protocol-number>
set queue <queue>
set weight <weight>
config ip-service
edit <service-name>
set protocol <ip-protocol-number>
set sport <port-number>
set dport <port-number>
set queue <queue>
set weight <weight>
config scheduler
edit <schedule-name>
set mode {none | priority | round-robin}
end
end
end