Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.4.5 Hyperscale Firewall Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    config icmp-error-rate-ctrl

    config icmp-error-rate-ctrl

    ICMP error rate control limits the average number of ICMP error packets generated by NP7 processors and includes a token bucket system to limit ICMPv4 and ICMPv6 error packet bursts.

    Under some high-traffic conditions, NP7 processors can generate excessive amounts of ICMP error packets. Because ICMP error packets are processed by the CPU, without rate limiting, excessive amounts of ICMP error packets can cause high CPU usage and possibly CPU stalling.

    ICMP error rate control is enabled by default. If your FortiGate CPU performance is being affected by excessive ICMP error traffic, you can use the following options to change the average packet generation rates and adjust the token bucket size for ICMPv4 and ICMPv6 error packets. You can also disable ICMP error rate control.

    config system npu

    config icmp-error-rate-ctrl

    set icmpv4-error-rate-limit {disable | enable}

    set icmpv4-error-rate <packets-per-second>

    set icmpv4-error-bucket-size <token-bucket-size>

    set icmpv6-error-rate-limit {disable | enable}

    set icmpv6-error-rate <packets-per-second>

    set icmpv6-error-bucket-size <token-bucket-size>

    end

    icmpv4-error-rate-limit enable or disable ICMPv4 error packet rate limiting. Enabled by default.

    icmpv4-error-rate the average number of ICMPv4 error packets that can be generated per second. The range is 1 to 100 and the default rate is 1 packet per second.

    icmpv4-error-bucket-size the bucket size used in the token bucket algorithm for controlling the flow of ICMPv4 error packets to prevent packet bursts. The range is 1 to 100 packets and the default is 20 packets.

    icmpv6-error-rate-limit enable or disable ICMPv6 error packet rate limiting. Enabled by default.

    icmpv6-error-rate the average number of ICMPv6 error packets that can be generated per second. The range is 1 to 100 and the default rate is 1 packet per second.

    icmp-v6-error-bucket-size the bucket size used by the token bucket algorithm for controlling the flow of ICMPv6 error packets to prevent packet bursts. The range is 1 to 100 packets and the default is 20 packets.

    Previous
    Next

    config icmp-error-rate-ctrl

    config icmp-error-rate-ctrl

    ICMP error rate control limits the average number of ICMP error packets generated by NP7 processors and includes a token bucket system to limit ICMPv4 and ICMPv6 error packet bursts.

    Under some high-traffic conditions, NP7 processors can generate excessive amounts of ICMP error packets. Because ICMP error packets are processed by the CPU, without rate limiting, excessive amounts of ICMP error packets can cause high CPU usage and possibly CPU stalling.

    ICMP error rate control is enabled by default. If your FortiGate CPU performance is being affected by excessive ICMP error traffic, you can use the following options to change the average packet generation rates and adjust the token bucket size for ICMPv4 and ICMPv6 error packets. You can also disable ICMP error rate control.

    config system npu

    config icmp-error-rate-ctrl

    set icmpv4-error-rate-limit {disable | enable}

    set icmpv4-error-rate <packets-per-second>

    set icmpv4-error-bucket-size <token-bucket-size>

    set icmpv6-error-rate-limit {disable | enable}

    set icmpv6-error-rate <packets-per-second>

    set icmpv6-error-bucket-size <token-bucket-size>

    end

    icmpv4-error-rate-limit enable or disable ICMPv4 error packet rate limiting. Enabled by default.

    icmpv4-error-rate the average number of ICMPv4 error packets that can be generated per second. The range is 1 to 100 and the default rate is 1 packet per second.

    icmpv4-error-bucket-size the bucket size used in the token bucket algorithm for controlling the flow of ICMPv4 error packets to prevent packet bursts. The range is 1 to 100 packets and the default is 20 packets.

    icmpv6-error-rate-limit enable or disable ICMPv6 error packet rate limiting. Enabled by default.

    icmpv6-error-rate the average number of ICMPv6 error packets that can be generated per second. The range is 1 to 100 and the default rate is 1 packet per second.

    icmp-v6-error-bucket-size the bucket size used by the token bucket algorithm for controlling the flow of ICMPv6 error packets to prevent packet bursts. The range is 1 to 100 packets and the default is 20 packets.

    Previous
    Next