Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hyperscale firewall CLI changes

Hyperscale firewall CLI changes

The following hyperscale firewall CLI commands are available:

Enable hyperscale firewall features

Use the following command to enable hyperscale firewall features for a hyperscale firewall VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.

Firewall policies include hyperscale options

For any firewall policy in a hyperscale firewall VDOM, you can use the cgn-log-server-grp option to enable hyperscale firewall logging for all of the traffic accepted by the policy that is offloaded to NP7 processors.

Note

The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

IPv4 and NAT64 NAT hyperscale firewall policies can include the following CGN resource allocation options. You can also add CGN resource allocation IP pools to these policies.

config firewall policy

edit 1

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

set cgn-sw-eif-ctrl {disable | enable}

end

Firewall policies in Hyperscale VDOMs do not support UTM or NGFW features.

CGN Resource allocation IP pools

You can use the following command to configure CGN Resource allocation IP pools:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

set exclude-ip <ip-addresses>

end

CGN Resource allocation IP pool groups

You can use the following command to create CGN Resource Allocation IP pool groups:

config firewall ippool_grp

edit <name>

set member <cgn-ippool> ...

end

Hardware logging

The following hardware logging commands are available:

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set enforce-seq-order {disable | enable}

set syslog-facility <facility>

set syslog-severity <severity>

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set log-transport {tcp | udp}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end

More options available for the config system npu command

FortiGates licensed for hyperscale firewall features have more config system npu command options than FortiGates with NP7 processors that are not licensed for hyperscale firewall features. For information about all of the config system npu command options available on a FortiGate with hyperscale firewall features, see Configuring NP7 processors.

Hyperscale firewall CLI changes

Hyperscale firewall CLI changes

The following hyperscale firewall CLI commands are available:

Enable hyperscale firewall features

Use the following command to enable hyperscale firewall features for a hyperscale firewall VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Creating hyperscale firewall VDOMs.

Firewall policies include hyperscale options

For any firewall policy in a hyperscale firewall VDOM, you can use the cgn-log-server-grp option to enable hyperscale firewall logging for all of the traffic accepted by the policy that is offloaded to NP7 processors.

Note

The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

IPv4 and NAT64 NAT hyperscale firewall policies can include the following CGN resource allocation options. You can also add CGN resource allocation IP pools to these policies.

config firewall policy

edit 1

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

set cgn-sw-eif-ctrl {disable | enable}

end

Firewall policies in Hyperscale VDOMs do not support UTM or NGFW features.

CGN Resource allocation IP pools

You can use the following command to configure CGN Resource allocation IP pools:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

set exclude-ip <ip-addresses>

end

CGN Resource allocation IP pool groups

You can use the following command to create CGN Resource Allocation IP pool groups:

config firewall ippool_grp

edit <name>

set member <cgn-ippool> ...

end

Hardware logging

The following hardware logging commands are available:

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set enforce-seq-order {disable | enable}

set syslog-facility <facility>

set syslog-severity <severity>

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set log-transport {tcp | udp}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end

More options available for the config system npu command

FortiGates licensed for hyperscale firewall features have more config system npu command options than FortiGates with NP7 processors that are not licensed for hyperscale firewall features. For information about all of the config system npu command options available on a FortiGate with hyperscale firewall features, see Configuring NP7 processors.