Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.4.4 Hyperscale Firewall Guide
    7.4.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    Change log

    Change log

    Date

    Change description

    October 15, 2024

    A new version of the hyperscale firewall policy engine was added to FortiOS 7.4.3 and 7.6.0. This new version is intended to resolve issues that cause the limitations described in Hyperscale firewall policy engine limitations and mechanics. So these limitations may no longer apply. This new versions is relatively new and more testing needs to be done to determine if there are new limitations. The limitation of 15,000 policies per hyperscale VDOM has not been changed.

    September 9, 2024

    New section: Overload PBA resource quota limitation.

    August 23, 2024

    If your FortiGate has multiple NP7 processors, depending on whether or not you are enabling EIF in hyperscale firewall policies, you may want to use the nss-threads-option of the config system npu command to optimize performance, see nss-threads-option {4T-EIF | 4T-NOEIF | 2T}.

    You should not operate DoS protection in monitor mode on a FortiGate licensed for hyperscale firewall, for more information in this limitation, see Hyperscale firewall 7.4.4 incompatibilities and limitations.

    July 18, 2024

    Added more information about limitations of the diagnose sys npu-session list command output when host logging is enabled, see Displaying information about NP7 hyperscale firewall hardware sessions.

    July 3, 2024

    More corrections to the information in this document about ALG support.

    June 28, 2024

    Removed incorrect information about ALG support requiring hash-config set to src-ip.

    June 26, 2024

    New section: Overload PBA port-reuse limitation for traffic between a single source and destination IP address. Changes to Recommended NP7 traffic distribution for optimal CGNAT performance.

    May 31, 2024

    Corrections to SNMP information in Hyperscale firewall policy MIB fields. Removed content about SNMP queries for NAT46 and NAT64 policy statistics, since SNMP fields for NAT46 and NAT64 policies have been removed from the Fortinet MIB.

    If you have set up a threat feed as the source or destination address in a hyperscale firewall policy, you cannot enable the corresponding address negate option (dstaddr-negate or srcaddr-negate), see Adding IP address threat feeds to hyperscale firewall policies.

    May 29, 2024

    Corrected information about firewall VIP support for hyperscale firewall VDOMs in Hyperscale firewall 7.4.4 incompatibilities and limitations.
    May15, 2024 FortiOS 7.4.4 document release.

    April 12, 2024

    New section Configuring NP7 processors describes all of the options of the config system npu command available on FortiGates licensed for Hyperscale firewall.

    March 20, 2024

    Changes to Recommended NP7 traffic distribution for optimal CGNAT performance. New section Carrier-Grade NAT Architecture Guide. Per-session hardware logging is not compatible with session-count DoS anomalies, see Hyperscale firewall 7.4.4 incompatibilities and limitations for more information.

    March 12, 2024

    New section: Removing the hyperscale firewall license.
    February 8, 2024 FortiOS 7.4.3 document release.

    January 5, 2024

    Improvements to the information in the following sections to add more details and make the available information more accessible:
    December 20, 2023 FortiOS 7.4.2 document release.
    August 31,2023 FortiOS 7.4.1 document release.

    August 21, 2023

    New section: Hyperscale and standard FortiOS CGNAT feature comparison .

    June 28, 2023

    Added information about hardware logging sending multiple session start log messages if log-processor is set to hardware and log-mode is set to per-session to Hyperscale firewall 7.4.4 incompatibilities and limitations.
    May 11,2023 FortiOS 7.4.0 document release.
    Previous
    Next

    Change log

    Change log

    Date

    Change description

    October 15, 2024

    A new version of the hyperscale firewall policy engine was added to FortiOS 7.4.3 and 7.6.0. This new version is intended to resolve issues that cause the limitations described in Hyperscale firewall policy engine limitations and mechanics. So these limitations may no longer apply. This new versions is relatively new and more testing needs to be done to determine if there are new limitations. The limitation of 15,000 policies per hyperscale VDOM has not been changed.

    September 9, 2024

    New section: Overload PBA resource quota limitation.

    August 23, 2024

    If your FortiGate has multiple NP7 processors, depending on whether or not you are enabling EIF in hyperscale firewall policies, you may want to use the nss-threads-option of the config system npu command to optimize performance, see nss-threads-option {4T-EIF | 4T-NOEIF | 2T}.

    You should not operate DoS protection in monitor mode on a FortiGate licensed for hyperscale firewall, for more information in this limitation, see Hyperscale firewall 7.4.4 incompatibilities and limitations.

    July 18, 2024

    Added more information about limitations of the diagnose sys npu-session list command output when host logging is enabled, see Displaying information about NP7 hyperscale firewall hardware sessions.

    July 3, 2024

    More corrections to the information in this document about ALG support.

    June 28, 2024

    Removed incorrect information about ALG support requiring hash-config set to src-ip.

    June 26, 2024

    New section: Overload PBA port-reuse limitation for traffic between a single source and destination IP address. Changes to Recommended NP7 traffic distribution for optimal CGNAT performance.

    May 31, 2024

    Corrections to SNMP information in Hyperscale firewall policy MIB fields. Removed content about SNMP queries for NAT46 and NAT64 policy statistics, since SNMP fields for NAT46 and NAT64 policies have been removed from the Fortinet MIB.

    If you have set up a threat feed as the source or destination address in a hyperscale firewall policy, you cannot enable the corresponding address negate option (dstaddr-negate or srcaddr-negate), see Adding IP address threat feeds to hyperscale firewall policies.

    May 29, 2024

    Corrected information about firewall VIP support for hyperscale firewall VDOMs in Hyperscale firewall 7.4.4 incompatibilities and limitations.
    May15, 2024 FortiOS 7.4.4 document release.

    April 12, 2024

    New section Configuring NP7 processors describes all of the options of the config system npu command available on FortiGates licensed for Hyperscale firewall.

    March 20, 2024

    Changes to Recommended NP7 traffic distribution for optimal CGNAT performance. New section Carrier-Grade NAT Architecture Guide. Per-session hardware logging is not compatible with session-count DoS anomalies, see Hyperscale firewall 7.4.4 incompatibilities and limitations for more information.

    March 12, 2024

    New section: Removing the hyperscale firewall license.
    February 8, 2024 FortiOS 7.4.3 document release.

    January 5, 2024

    Improvements to the information in the following sections to add more details and make the available information more accessible:
    December 20, 2023 FortiOS 7.4.2 document release.
    August 31,2023 FortiOS 7.4.1 document release.

    August 21, 2023

    New section: Hyperscale and standard FortiOS CGNAT feature comparison .

    June 28, 2023

    Added information about hardware logging sending multiple session start log messages if log-processor is set to hardware and log-mode is set to per-session to Hyperscale firewall 7.4.4 incompatibilities and limitations.
    May 11,2023 FortiOS 7.4.0 document release.
    Previous
    Next