What's new for hyperscale firewall for FortiOS 7.6.0
This section lists the new hyperscale firewall features added to FortiOS 7.6.0.
-
New hyperscale firewall policy option to keep EIF active after the DSE timer expires:
config firewall policy
edit 1
set cgn-eif enable
set cgn-sw-eif-ctrl {enable | disable}
end
See the description of
cgn-sw-eif-ctrlin CGN resource allocation hyperscale firewall policies. -
New
config system npucommand options to set global session quotas for IPv6 sessions, see Session quotas for IPv6 sessions.config system npu
set ipv6-prefix-session-quota {disable | enable}
set ipv6-prefix-session-quota-high <high-threshold>
set ipv6-prefix-session-quota-low <low-threshold>
end
-
New
config system npuoptions to set session quotas for IPv4 sessions accepted by firewall policies with NAT disabled, see Session quotas for IPv4 sessions.config system npu
set ipv4-session-quota {disable | enable}
set ipv4-session-quota-high <high-threshold>
set ipv4-session-quota-low <low-threshold>
end
-
New
config system npuoptions to control the rate at which NP7 processors generate ICMPv4 and ICMPv6 error packets, see config icmp-error-rate-ctrl.config system npu
config icmp-error-rate-ctrl
set icmpv4-error-rate-limit {disable | enable}
set icmpv4-error-rate <packets-per-second>
set icmpv4-error-bucket-size <token-bucket-size>
set icmpv6-error-rate-limit {disable | enable}
set icmpv6-error-rate <packets-per-second>
set icmpv6-error-bucket-size <token-bucket-size>
end
-
The following new CGNAT features have been added to standard FortiOS:
-
Full cone NAT for fixed port range IP pools. (Endpoint Independent Filtering (EIF))