Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Configuring NP7 processors

Configuring NP7 processors

You can use the config system npu command to configure a wide range of settings for the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

More options for configuring NP7 processors are available if your FortiGate is licensed for Hyperscale firewall features. This section includes information about all of the hyperscale-specific NP7 processor options.

FortiGates with hyperscale firewall licenses also allow you to enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure with the config system npu command apply to all NP7 processors and traffic processed by all interfaces connected to NP7 processors. This includes the physical interfaces connected to the NP7 processors as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processors.

config system npu

set dedicated-management-cpu {disable | enable}

set ipsec-ob-np-sel {rr | Packet | Hash}

set npu-group-effective-scope { 0 | 1 | 2 | 3 | 255}

set hash-config {src-dst-ip | 5-tuple | scr-ip}

set pba-eim {disallow | allow}

set ippool-overload-low <threshold>

set ippool-overload-high <threshold>

set dse-timeout <seconds>

set hw-ha-scan-interval <seconds>

set ple-non-syn-tcp-action {drop | forward}

set tcp-rst-timeout <timeout>

set default-tcp-refresh-dir {both | outgoing | incoming}

set default-udp-refresh-dir {both | outgoing | incoming}

set prp-session-clear-mode {blocking | non-blocking | do-not-clear}

set spa-port-select-mode (direct | random}

set pba-port-select-mode (direct | random}

set spa-port-select-mode

set pba-port-select-mode

set napi-break-interval <interval>

set nss-threads-option {4T-EIF | 4T-NOEIF | 2T}

set capwap-offload {disable | enable}

set vxlan-offload {disable | enable}

set default-qos-type policing

set shaping-stats {disable | enable}

set gtp-support {disable | enable}

set per-session-accounting {disable | enable | traffic-log-only}

set session-acct-interval <seconds>

set per-policy-accounting {disable | enable}

set max-session-timeout <seconds>

set hash-tbl-spread {disable | enable}

set vlan-lookup-cache {disable | enable}

set ip-fragment-offload {disable | enable}

set htx-icmp-csum-chk {drop | pass}

set htab-msg-queue {data | idle | dedicated}

set htab-dedi-queue-nr <number-of-queues>

set qos-mode {disable | piority | round-robin}

set inbound-dscp-copy-port <interface> [<interface> ...]

set double-level-mcast-offload {disable | enable}

set qtm-buf-mode {6ch | 4ch}

set max-receive-unit <unit>

set ull-port-mode {10G | 25G}

config port-npu-map

edit <interface-name>

set npu-group-index <index>

config port-path-option

set ports-using-npu {ha1 ha2 aux1 aux2}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

config tcp-timeout-profile

edit {5 | 6 | 7 | ... | 47}

set tcp-idle <seconds>

set fin-wait <seconds>

set close-wait <seconds>

set time-wait <seconds>

set syn-sent <seconds>

set syn-wait <seconds>

config udp-timeout-profile

edit {5 | 6 | 7 | ... | 63}

set udp-idle <seconds>

config background-sse-scan

set scan {disable | enable}

set scan-stale {0 | 1}

set scan-vt <bit>.

set stats-update-interval <interval>

set stats-qual-access <qualification>

set stats-qual-duration <duration>

set udp-keepalive-interval <interval>

set udp-qual-access <qualification>

set udp-qual-duration <qualification>

config sse-ha-scan configure driver HA scan for SSE.

set gap Scanning message gap(0~32767, default 200)

config hpe

set all-protocol <packets-per-second> Maximum packet rate of each host queue except high priority traffic(1K - 32M pps, default = 400K pps), set 0 to disable.

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>a

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

set enable-shaper {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

config dsw-dts-profile

edit <profile-id>

set min-limit <limit>

set step <number>

set action {wait | drop | drop_tmr_0 | drop_tmr_1 | enque | enque_0 | enque_1 }

config dsw-queue-dts-profile

edit <profile-name>

set iport <iport>

set oport <oport>

set profile-id <profile-id>

set queue-select <queue-id>

config np-queues

config profile

edit <profile-id>

set type {cos | dscp}

set weight <weight>

set {cos0 | cos1 | ... | cos7} {queue0 | queue1 | ... | queue7}

set {dscp0 | dscp1 | ... | dscp63} {queue0 | queue1 | ... | queue7}

end

config ethernet-type

edit <ethernet-type-name>

set type <ethertype>

set queue <queue>

set weight <weight>

config ip-protocol

edit <protocol-name>

set protocol <ip-protocol-number>

set queue <queue>

set weight <weight>

config ip-service

edit <service-name>

set protocol <ip-protocol-number>

set sport <port-number>

set dport <port-number>

set queue <queue>

set weight <weight>

config scheduler

edit <schedule-name>

set mode {none | priority | round-robin}

end

end

end

Configuring NP7 processors

Configuring NP7 processors

You can use the config system npu command to configure a wide range of settings for the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

More options for configuring NP7 processors are available if your FortiGate is licensed for Hyperscale firewall features. This section includes information about all of the hyperscale-specific NP7 processor options.

FortiGates with hyperscale firewall licenses also allow you to enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure with the config system npu command apply to all NP7 processors and traffic processed by all interfaces connected to NP7 processors. This includes the physical interfaces connected to the NP7 processors as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processors.

config system npu

set dedicated-management-cpu {disable | enable}

set ipsec-ob-np-sel {rr | Packet | Hash}

set npu-group-effective-scope { 0 | 1 | 2 | 3 | 255}

set hash-config {src-dst-ip | 5-tuple | scr-ip}

set pba-eim {disallow | allow}

set ippool-overload-low <threshold>

set ippool-overload-high <threshold>

set dse-timeout <seconds>

set hw-ha-scan-interval <seconds>

set ple-non-syn-tcp-action {drop | forward}

set tcp-rst-timeout <timeout>

set default-tcp-refresh-dir {both | outgoing | incoming}

set default-udp-refresh-dir {both | outgoing | incoming}

set prp-session-clear-mode {blocking | non-blocking | do-not-clear}

set spa-port-select-mode (direct | random}

set pba-port-select-mode (direct | random}

set spa-port-select-mode

set pba-port-select-mode

set napi-break-interval <interval>

set nss-threads-option {4T-EIF | 4T-NOEIF | 2T}

set capwap-offload {disable | enable}

set vxlan-offload {disable | enable}

set default-qos-type policing

set shaping-stats {disable | enable}

set gtp-support {disable | enable}

set per-session-accounting {disable | enable | traffic-log-only}

set session-acct-interval <seconds>

set per-policy-accounting {disable | enable}

set max-session-timeout <seconds>

set hash-tbl-spread {disable | enable}

set vlan-lookup-cache {disable | enable}

set ip-fragment-offload {disable | enable}

set htx-icmp-csum-chk {drop | pass}

set htab-msg-queue {data | idle | dedicated}

set htab-dedi-queue-nr <number-of-queues>

set qos-mode {disable | piority | round-robin}

set inbound-dscp-copy-port <interface> [<interface> ...]

set double-level-mcast-offload {disable | enable}

set qtm-buf-mode {6ch | 4ch}

set max-receive-unit <unit>

set ull-port-mode {10G | 25G}

config port-npu-map

edit <interface-name>

set npu-group-index <index>

config port-path-option

set ports-using-npu {ha1 ha2 aux1 aux2}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

config tcp-timeout-profile

edit {5 | 6 | 7 | ... | 47}

set tcp-idle <seconds>

set fin-wait <seconds>

set close-wait <seconds>

set time-wait <seconds>

set syn-sent <seconds>

set syn-wait <seconds>

config udp-timeout-profile

edit {5 | 6 | 7 | ... | 63}

set udp-idle <seconds>

config background-sse-scan

set scan {disable | enable}

set scan-stale {0 | 1}

set scan-vt <bit>.

set stats-update-interval <interval>

set stats-qual-access <qualification>

set stats-qual-duration <duration>

set udp-keepalive-interval <interval>

set udp-qual-access <qualification>

set udp-qual-duration <qualification>

config sse-ha-scan configure driver HA scan for SSE.

set gap Scanning message gap(0~32767, default 200)

config hpe

set all-protocol <packets-per-second> Maximum packet rate of each host queue except high priority traffic(1K - 32M pps, default = 400K pps), set 0 to disable.

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>a

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

set enable-shaper {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

config dsw-dts-profile

edit <profile-id>

set min-limit <limit>

set step <number>

set action {wait | drop | drop_tmr_0 | drop_tmr_1 | enque | enque_0 | enque_1 }

config dsw-queue-dts-profile

edit <profile-name>

set iport <iport>

set oport <oport>

set profile-id <profile-id>

set queue-select <queue-id>

config np-queues

config profile

edit <profile-id>

set type {cos | dscp}

set weight <weight>

set {cos0 | cos1 | ... | cos7} {queue0 | queue1 | ... | queue7}

set {dscp0 | dscp1 | ... | dscp63} {queue0 | queue1 | ... | queue7}

end

config ethernet-type

edit <ethernet-type-name>

set type <ethertype>

set queue <queue>

set weight <weight>

config ip-protocol

edit <protocol-name>

set protocol <ip-protocol-number>

set queue <queue>

set weight <weight>

config ip-service

edit <service-name>

set protocol <ip-protocol-number>

set sport <port-number>

set dport <port-number>

set queue <queue>

set weight <weight>

config scheduler

edit <schedule-name>

set mode {none | priority | round-robin}

end

end

end