Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.6.0 Hyperscale Firewall Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    Hyperscale firewall 7.6.0 incompatibilities and limitations

    Hyperscale firewall 7.6.0 incompatibilities and limitations

    Hyperscale firewall for FortiOS 7.6.0 has the following limitations and incompatibilities with FortiOS features:

    • Proxy or flow based inspection is not supported. You cannot include security profiles in hyperscale firewall policies.
    • Single-sign-on authentication including FSSO and RSSO is not supported. Other types of authentication are supported.
    • IPsec VPN is not supported. You cannot create hyperscale firewall policies where one of the interfaces is an IPsec VPN interface.

    • The number of firewall policies that can be added to a Hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

    • Hyperscale firewall VDOMs do not support Central NAT.
    • Hyperscale firewall VDOMs do not support Policy-based NGFW Mode.

    • Hyperscale firewall VDOMs must be NAT mode VDOMs. Hyperscale firewall features are not supported for transparent mode VDOMs.

    • Hyperscale firewall VDOMs do not support traffic shaping policies or profiles. Only outbandwidth traffic shaping is supported for hyperscale firewall VDOMs.

    • Hyperscale firewall VDOMs do not support the FortiOS Internet Service Database (ISDB), IP Reputation Database (IRDB), and IP Definitions Database (IPDB) features.

    • Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. See NP7 traffic shaping.

    • Traffic that requires session helpers or ALGs is processed by the CPU and not by NP7 processors (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH). For more information, see ALG/Session Helper Support.

    • Active-Active FGCP HA does not support HA hardware session synchronization. Active-passive FGCP HA, FGSP, and virtual clustering do support HA hardware session synchronization.

    • Asymmetric sessions are not supported.
    • ECMP usage-based load balancing is not supported. Traffic is not directed to routes with lower spillover-thresholds.
    • Interface device identification should not be enabled on interfaces that send or receive hyperscale firewall traffic.

    • The proxy action is not supported for DoS policy anomalies when your FortiGate is licensed for hyperscale firewall features. When you activate a hyperscale firewall license, the proxy option is removed from the CLI of both hyperscale VDOMs and normal VDOMs.

    • Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.

    • During normal operation, UDP sessions from protocols that use FortiOS session helpers are processed by the CPU. After an FGCP HA failover, when the UDP session helper sessions are re-established, they will not be identified as session helper sessions and instead will be offloaded to the NP7 processors.

    • When operating an FGCP HA cluster with session synchronization enabled, some of the sessions accepted by an IPv4 or a NAT64 hyperscale firewall policy with an overload IP pool may not be synchronized to the secondary FortiGate. Some sessions are not synchronized because of resource conflicts and retries. The session loss rate depends on the percentage of resource retries during session setup. You can reduce the session loss by making sure the IP pool has as many IP addresses and ports as possible.

    • If hardware logging is configured to send log messages directly from NP7 processors (log-processor is set to hardware) (also called log2hw) and the log server group is configured to send log messages at the start and end of each session (log-mode is set to per-session), hardware logging may send multiple session start log messages, each with a different start time. Creating multiple session start log messages is a limitation of NP7 processor hardware logging, caused by the NP7 processor creating extra session start messages if session updates occur. You can work around this issue by:

      • Setting log-mode to per-session-ending. This setting creates a single log message when the session ends. This log message records the time the session ended as well as the duration of the session. This information can be used to calculate the session start time.

      • Setting log-processor to host (also called log2host). Host hardware logging removes duplicate log start messages created by the NP7 processor. Host logging may reduce performance.

    • Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer visible from the CLI or GUI when configuring IPv4 and IPV6 firewall VIPs in a hyperscale firewall VDOM.

      Note

      Even though the arp-reply CLI option is not supported for IPv4 and IPv6 firewall VIPs, responding to ARP requests for IP addresses in a virtual IP is supported. What is not supported is using the arp-reply option to disable responding to an ARP request.

    • Per-session hardware logging is not compatible with session-count DoS anomalies. When configuring hardware logging server groups, if log-mode is set to per-session you must delete any session-count DoS anomalies that you have been added to DoS policies. If not, for some processes resource usage can reach 100% and some processes might become stuck or crash.

      Rate-based DoS anomalies are compatible with per-session hardware logging. Session-count based DoS anomalies have session in their name (for example, tcp_src_session and tcp_dst_session). For information about DoS anomalies, see DoS policy.

    • Because of how NP7 hyperscale hardware-based session setup logic works, you should not operate DoS protection in monitor mode (that is DoS policies with Action set to Monitor) on a FortiGate licensed for hyperscale firewall. You can enable monitor mode for debugging your DoS protection setup. But during normal operation, operating DoS protection in monitor mode can cause NP7 processors to become unresponsive when processing large amounts of traffic.

    • PBA NAT interim logging is not supported for CGNAT IP pools.

    • If you have set up a threat feed as the source or destination address in a hyperscale firewall policy, you cannot enable the corresponding address negate option (dstaddr-negate or srcaddr-negate).

    • The option add-nat-64-route appears when you enable NAT64 in a CGN IP pool. This option is ignored by hyperscale firewall policies.

    Previous
    Next

    Hyperscale firewall 7.6.0 incompatibilities and limitations

    Hyperscale firewall 7.6.0 incompatibilities and limitations

    Hyperscale firewall for FortiOS 7.6.0 has the following limitations and incompatibilities with FortiOS features:

    • Proxy or flow based inspection is not supported. You cannot include security profiles in hyperscale firewall policies.
    • Single-sign-on authentication including FSSO and RSSO is not supported. Other types of authentication are supported.
    • IPsec VPN is not supported. You cannot create hyperscale firewall policies where one of the interfaces is an IPsec VPN interface.

    • The number of firewall policies that can be added to a Hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

    • Hyperscale firewall VDOMs do not support Central NAT.
    • Hyperscale firewall VDOMs do not support Policy-based NGFW Mode.

    • Hyperscale firewall VDOMs must be NAT mode VDOMs. Hyperscale firewall features are not supported for transparent mode VDOMs.

    • Hyperscale firewall VDOMs do not support traffic shaping policies or profiles. Only outbandwidth traffic shaping is supported for hyperscale firewall VDOMs.

    • Hyperscale firewall VDOMs do not support the FortiOS Internet Service Database (ISDB), IP Reputation Database (IRDB), and IP Definitions Database (IPDB) features.

    • Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. See NP7 traffic shaping.

    • Traffic that requires session helpers or ALGs is processed by the CPU and not by NP7 processors (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH). For more information, see ALG/Session Helper Support.

    • Active-Active FGCP HA does not support HA hardware session synchronization. Active-passive FGCP HA, FGSP, and virtual clustering do support HA hardware session synchronization.

    • Asymmetric sessions are not supported.
    • ECMP usage-based load balancing is not supported. Traffic is not directed to routes with lower spillover-thresholds.
    • Interface device identification should not be enabled on interfaces that send or receive hyperscale firewall traffic.

    • The proxy action is not supported for DoS policy anomalies when your FortiGate is licensed for hyperscale firewall features. When you activate a hyperscale firewall license, the proxy option is removed from the CLI of both hyperscale VDOMs and normal VDOMs.

    • Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.

    • During normal operation, UDP sessions from protocols that use FortiOS session helpers are processed by the CPU. After an FGCP HA failover, when the UDP session helper sessions are re-established, they will not be identified as session helper sessions and instead will be offloaded to the NP7 processors.

    • When operating an FGCP HA cluster with session synchronization enabled, some of the sessions accepted by an IPv4 or a NAT64 hyperscale firewall policy with an overload IP pool may not be synchronized to the secondary FortiGate. Some sessions are not synchronized because of resource conflicts and retries. The session loss rate depends on the percentage of resource retries during session setup. You can reduce the session loss by making sure the IP pool has as many IP addresses and ports as possible.

    • If hardware logging is configured to send log messages directly from NP7 processors (log-processor is set to hardware) (also called log2hw) and the log server group is configured to send log messages at the start and end of each session (log-mode is set to per-session), hardware logging may send multiple session start log messages, each with a different start time. Creating multiple session start log messages is a limitation of NP7 processor hardware logging, caused by the NP7 processor creating extra session start messages if session updates occur. You can work around this issue by:

      • Setting log-mode to per-session-ending. This setting creates a single log message when the session ends. This log message records the time the session ended as well as the duration of the session. This information can be used to calculate the session start time.

      • Setting log-processor to host (also called log2host). Host hardware logging removes duplicate log start messages created by the NP7 processor. Host logging may reduce performance.

    • Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer visible from the CLI or GUI when configuring IPv4 and IPV6 firewall VIPs in a hyperscale firewall VDOM.

      Note

      Even though the arp-reply CLI option is not supported for IPv4 and IPv6 firewall VIPs, responding to ARP requests for IP addresses in a virtual IP is supported. What is not supported is using the arp-reply option to disable responding to an ARP request.

    • Per-session hardware logging is not compatible with session-count DoS anomalies. When configuring hardware logging server groups, if log-mode is set to per-session you must delete any session-count DoS anomalies that you have been added to DoS policies. If not, for some processes resource usage can reach 100% and some processes might become stuck or crash.

      Rate-based DoS anomalies are compatible with per-session hardware logging. Session-count based DoS anomalies have session in their name (for example, tcp_src_session and tcp_dst_session). For information about DoS anomalies, see DoS policy.

    • Because of how NP7 hyperscale hardware-based session setup logic works, you should not operate DoS protection in monitor mode (that is DoS policies with Action set to Monitor) on a FortiGate licensed for hyperscale firewall. You can enable monitor mode for debugging your DoS protection setup. But during normal operation, operating DoS protection in monitor mode can cause NP7 processors to become unresponsive when processing large amounts of traffic.

    • PBA NAT interim logging is not supported for CGNAT IP pools.

    • If you have set up a threat feed as the source or destination address in a hyperscale firewall policy, you cannot enable the corresponding address negate option (dstaddr-negate or srcaddr-negate).

    • The option add-nat-64-route appears when you enable NAT64 in a CGN IP pool. This option is ignored by hyperscale firewall policies.

    Previous
    Next