Fortinet white logo
Fortinet white logo

Hardware Acceleration

Configuring NP7 processors

Configuring NP7 processors

You can use the config system npu command to configure a wide range of settings for the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

Note

The FortiGate 1800F, 2600F, 3500F, 4200F and 4400F models also include the following command for configuring NP7 processors:

config system npu-post

set npu-group-effective-scope { 0 | 1 | 2 | 3 | 255}

config port-npu-map

edit <interface-name>

set npu-group <group-name>

end

end

end

For more information, see config system npu-post.

You can also enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure with the config system npu command apply to all NP7 processors and traffic processed by all interfaces connected to NP7 processors. This includes the physical interfaces connected to the NP7 processors as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processors.

config system npu

set dedicated-management-cpu {disable | enable}

set npu-group-effective-scope { 0 | 1 | 2 | 3 | 255}

set hash-config {src-dst-ip | 5-tuple | scr-ip}

set napi-break-interval <interval>

set capwap-offload {disable | enable}

set vxlan-offload {disable | enable}

set default-qos-type {policing | shaping}

set shaping-stats {disable | enable}

set gtp-support {disable | enable}

set per-session-accounting {disable | enable | traffic-log-only}

set session-acct-interval <seconds>

set per-policy-accounting {disable | enable}

set max-session-timeout <seconds>

set hash-tbl-spread {disable | enable}

set vlan-lookup-cache {disable | enable}

set ip-fragment-offload {disable | enable}

set htx-icmp-csum-chk {drop | pass}

set htab-msg-queue {data | idle | dedicated}

set htab-dedi-queue-nr <number-of-queues>

set qos-mode {disable | piority | round-robin}

set inbound-dscp-copy-port <interface> [<interface> ...]

set double-level-mcast-offload {disable | enable}

set qtm-buf-mode {6ch | 4ch}

set ipsec-ob-np-sel {rr | Packet | Hash}

set max-receive-unit <size>

set ull-port-mode {10G | 25G}

config port-npu-map

edit <interface-name>

set npu-group-index <index>

config port-path-option

set ports-using-npu {ha1 ha2 aux1 aux2}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

config hpe

set all-protocol <packets-per-second>

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>a

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

set enable-shaper {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set sctp-csum-err {allow | drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

config dsw-dts-profile

edit <profile-id>

set min-limit <limit>

set step <number>

set action {wait | drop | drop_tmr_0 | drop_tmr_1 | enque | enque_0 | enque_1 }

config dsw-queue-dts-profile

edit <profile-name>

set iport <iport>

set oport <oport>

set profile-id <profile-id>

set queue-select <queue-id>

config np-queues

config profile

edit <profile-id>

set type {cos | dscp}

set weight <weight>

set {cos0 | cos1 | ... | cos7} {queue0 | queue1 | ... | queue7}

set {dscp0 | dscp1 | ... | dscp63} {queue0 | queue1 | ... | queue7}

end

config ethernet-type

edit <ethernet-type-name>

set type <ethertype>

set queue <queue>

set weight <weight>

config ip-protocol

edit <protocol-name>

set protocol <ip-protocol-number>

set queue <queue>

set weight <weight>

config ip-service

edit <service-name>

set protocol <ip-protocol-number>

set sport <port-number>

set dport <port-number>

set queue <queue>

set weight <weight>

config scheduler

edit <schedule-name>

set mode {none | priority | round-robin}

end

end

config sw-eh-hash

set computation {xor16 | xor8 | xor4 | crc16}

set ip-protocol {exclude | include}

set source-ip-upper-16 {exclude | include}

set source-ip-lower-16 {exclude | include}

set destination-ip-upper-16 {exclude | include}

set destination-ip-lower-16 {exclude | include}

set source-port {exclude | include}

set destination-port {exclude | include}

set netmask-length <length>

config sw-tr-hash

set draco15 {disable | enable}

set tcp-udp-port {exclude | include}

end

Configuring NP7 processors

Configuring NP7 processors

You can use the config system npu command to configure a wide range of settings for the NP7 processors in your FortiGate, including adjusting session accounting and session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

Note

The FortiGate 1800F, 2600F, 3500F, 4200F and 4400F models also include the following command for configuring NP7 processors:

config system npu-post

set npu-group-effective-scope { 0 | 1 | 2 | 3 | 255}

config port-npu-map

edit <interface-name>

set npu-group <group-name>

end

end

end

For more information, see config system npu-post.

You can also enable and adjust Host Protection Engine (HPE) settings to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure with the config system npu command apply to all NP7 processors and traffic processed by all interfaces connected to NP7 processors. This includes the physical interfaces connected to the NP7 processors as well as all VLAN interfaces, IPsec interfaces, LAGs, and so on associated with the physical interfaces connected to the NP7 processors.

config system npu

set dedicated-management-cpu {disable | enable}

set npu-group-effective-scope { 0 | 1 | 2 | 3 | 255}

set hash-config {src-dst-ip | 5-tuple | scr-ip}

set napi-break-interval <interval>

set capwap-offload {disable | enable}

set vxlan-offload {disable | enable}

set default-qos-type {policing | shaping}

set shaping-stats {disable | enable}

set gtp-support {disable | enable}

set per-session-accounting {disable | enable | traffic-log-only}

set session-acct-interval <seconds>

set per-policy-accounting {disable | enable}

set max-session-timeout <seconds>

set hash-tbl-spread {disable | enable}

set vlan-lookup-cache {disable | enable}

set ip-fragment-offload {disable | enable}

set htx-icmp-csum-chk {drop | pass}

set htab-msg-queue {data | idle | dedicated}

set htab-dedi-queue-nr <number-of-queues>

set qos-mode {disable | piority | round-robin}

set inbound-dscp-copy-port <interface> [<interface> ...]

set double-level-mcast-offload {disable | enable}

set qtm-buf-mode {6ch | 4ch}

set ipsec-ob-np-sel {rr | Packet | Hash}

set max-receive-unit <size>

set ull-port-mode {10G | 25G}

config port-npu-map

edit <interface-name>

set npu-group-index <index>

config port-path-option

set ports-using-npu {ha1 ha2 aux1 aux2}

config dos-options

set npu-dos-meter-mode {global | local}

set npu-dos-tpe-mode {disable | enable}

config hpe

set all-protocol <packets-per-second>

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>a

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set high-priority <packets-per-second>

set enable-shaper {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set sctp-csum-err {allow | drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

config ip-reassembly

set min_timeout <micro-seconds>

set max_timeout <micro-seconds>

set status {disable | enable}

config dsw-dts-profile

edit <profile-id>

set min-limit <limit>

set step <number>

set action {wait | drop | drop_tmr_0 | drop_tmr_1 | enque | enque_0 | enque_1 }

config dsw-queue-dts-profile

edit <profile-name>

set iport <iport>

set oport <oport>

set profile-id <profile-id>

set queue-select <queue-id>

config np-queues

config profile

edit <profile-id>

set type {cos | dscp}

set weight <weight>

set {cos0 | cos1 | ... | cos7} {queue0 | queue1 | ... | queue7}

set {dscp0 | dscp1 | ... | dscp63} {queue0 | queue1 | ... | queue7}

end

config ethernet-type

edit <ethernet-type-name>

set type <ethertype>

set queue <queue>

set weight <weight>

config ip-protocol

edit <protocol-name>

set protocol <ip-protocol-number>

set queue <queue>

set weight <weight>

config ip-service

edit <service-name>

set protocol <ip-protocol-number>

set sport <port-number>

set dport <port-number>

set queue <queue>

set weight <weight>

config scheduler

edit <schedule-name>

set mode {none | priority | round-robin}

end

end

config sw-eh-hash

set computation {xor16 | xor8 | xor4 | crc16}

set ip-protocol {exclude | include}

set source-ip-upper-16 {exclude | include}

set source-ip-lower-16 {exclude | include}

set destination-ip-upper-16 {exclude | include}

set destination-ip-lower-16 {exclude | include}

set source-port {exclude | include}

set destination-port {exclude | include}

set netmask-length <length>

config sw-tr-hash

set draco15 {disable | enable}

set tcp-udp-port {exclude | include}

end