Hyperscale firewall CLI changes
The following hyperscale firewall CLI commands are available:
Enable hyperscale firewall features
Use the following command to enable hyperscale firewall features for a hyperscale firewall VDOM:
config system settings
set policy-offload-level full-offload
end
Special hyperscale firewall VDOM naming convention
VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.
The following option can be used to set the VDOM ID range:
config system global
set hyper-scale-vdom-num
end
By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.
Use the following syntax to create a hyperscale firewall VDOM from the global CLI:
config vdom
edit <string>-hw<vdom-id>
For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.
Firewall policies include hyperscale options
For any firewall policy in a hyperscale firewall VDOM, you can use the cgn-log-server-grp
option to enable hyperscale firewall logging for all of the traffic accepted by the policy that is offloaded to NP7 processors.
The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit. |
IPv4 and NAT64 NAT hyperscale firewall policies can include the following CGN resource allocation options. You can also add CGN resource allocation IP pools to these policies.
config firewall policy
edit 1
set cgn-session-quota <quota>
set cgn-resource-quota <quots>
set cgn-eif {disable | enable}
set cgn-eim {disable | enable}
end
Firewall policies in Hyperscale VDOMs do not support UTM or NGFW features.
CGN Resource allocation IP pools
You can use the following command to configure CGN Resource allocation IP pools:
config firewall ippool
edit <name>
set type cgn-resource-allocation
set startip <ip>
set endip <ip>
set arp-reply {disable | enable}
set arp-intf <interface-name>
set cgn-spa {disable | enable}
set cgn-overload {disable | enable}
set cgn-fixedalloc {disable | enable}
set cgn-block-size <number-of-ports>
set cgn-client-startip <ip>
set cgn-client-endip <ip>
set cgn-port-start <port>
set cgn-port-end <port>
set utilization-alarm-raise <usage-threshold>
set utilization-alarm-clear <usage-threshold>
end
CGN Resource allocation IP pool groups
You can use the following command to create CGN Resource Allocation IP pool groups:
config firewall ippool_grp
edit <name>
set member <cgn-ippool> ...
end
Hardware logging
The following hardware logging commands are available:
config log npu-server
set log-processor {hardware | host}
set log-processing {may-drop | no-drop}
set netflow-ver {v9 | v10}
set enforce-seq-order {disable | enable}
set syslog-facility <facility>
set syslog-severity <severity>
config server-info
edit <index>
set vdom <name>
set ip-family {v4 | v6}
set log-transport {tcp | udp}
set ipv4-server <ipv4-address>
set ipv6-server <ipv6-address>
set source-port <port-number>
set dest-port <port-number>
set template-tx-timeout <timeout>
end
config server-group
edit <group-name>
set log-mode {per-session | per-nat-mapping | per-session-ending}
set log-format {netflow | syslog}
set log-tx-mode {roundrobin | multicast}
set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}
set log-user-info {disable | enable}
set log-gen-event {disable | enable}
set server-number <number>
set server-start-id <number>
end
Hyperscale firewall inter-VDOM link acceleration
You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type
set to npupair
. For example:
config system vdom-link
edit <name>
set type npupair
end
More options available for the config system npu command
FortiGates licensed for hyperscale firewall features have more config system npu
command options than FortiGates with NP7 processors that are not licensed for hyperscale firewall features. For information about all of the config system npu
command options available on a FortiGate with hyperscale firewall features, see Configuring NP7 processors.