Fortinet black logo

Hyperscale Firewall Release Notes

Home FortiGate / FortiOS 6.4.8 Hyperscale Firewall Release Notes
6.4.8
7.2.4
7.2.3
7.2.2
7.2.1
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Adjusting NP7 hyperscale firewall blackhole and loopback route behavior

Adjusting NP7 hyperscale firewall blackhole and loopback route behavior

You can use the following diagnose command to configure how the NP7 hyperscale firewall policy engine handles traffic in a hyperscale firewall VDOM that matches a blackhole route or a loopback route. The NP7 policy engine is implemented by the NP7 npd process. By default the NP7 policy engine:

  • Drops traffic that matches a blackhole route (drop).

  • Sends traffic that matches a loopback route to the CPU (host).

You can use the following diagnose command to change this behavior. Because this is a diagnose command, any changes are reverted to defaults when the FortiGate restarts:

The command syntax is:

diagnose npd debug cmd 14 {28 | 29} {0 | 1 | 2}

28 configure how the NP7 policy engine handles traffic that matches a blackhole route.

29 configure how the NP7 policy engine handles traffic that matches a loopback route.

0 set blackhole or loopback route handling to ignore.

1 send traffic that matches a blackhole or loopback route to the CPU (host).

2 drop traffic that matches a blackhole or loopback route.

For example, use the following command to send traffic that matches a blackhole route to the CPU:

diagnose npd debug cmd 14 28 1

Use the following command to set loopback routing to drop:

diagnose npd debug cmd 14 29 2

Viewing the NP7 hyperscale policy engine routing configuration

You can use the following diagnose command to view the current NP7 hyperscale policy engine routing configuration. You can also use this command to add and remove routes. Because this is a diagnose command, any changes are reverted to defaults when the FortiGate restarts:

diagnose npd route {lookup | dump | stats| sync | flush | add | del}

lookup lookup route links.

dump list the NP7 policy engine routing table.

stats display route statistics.

sync update the NP7 policy engine routing table to match the CPU kernel routing table.

flush flush the NP7 policy engine routing table.

add add a route to the NP7 policy engine routing table.

del delete a route to the NP7 policy engine routing table.

The syntax for the add and del command is:

diagnose npd route {add | del} <destination> <prefix-length> <gateway> <oif> <table> <scope> <type> <proto> <priority> <tos> <flags>

For blackhole and loopback routes, set <flags> to the following nh_flags values:

  • For blackhole routes the nh_flags value is 0x80.

  • For loopback routes, the nh_flags value is 0x100.

For example, use the following command to add a blackhole route to the NP7 policy engine routing table:

diagnose npd route add 1.1.1.1 24 0.0.0.0 54 254 0 1 11 3333 0 0x80

The following command will delete this route from the NP7 policy engine routing table:

diagnose npd route del 1.1.1.1 24 0.0.0.0 54 254 0 1 11 3333 0 0x80

Previous
Next

Adjusting NP7 hyperscale firewall blackhole and loopback route behavior

You can use the following diagnose command to configure how the NP7 hyperscale firewall policy engine handles traffic in a hyperscale firewall VDOM that matches a blackhole route or a loopback route. The NP7 policy engine is implemented by the NP7 npd process. By default the NP7 policy engine:

  • Drops traffic that matches a blackhole route (drop).

  • Sends traffic that matches a loopback route to the CPU (host).

You can use the following diagnose command to change this behavior. Because this is a diagnose command, any changes are reverted to defaults when the FortiGate restarts:

The command syntax is:

diagnose npd debug cmd 14 {28 | 29} {0 | 1 | 2}

28 configure how the NP7 policy engine handles traffic that matches a blackhole route.

29 configure how the NP7 policy engine handles traffic that matches a loopback route.

0 set blackhole or loopback route handling to ignore.

1 send traffic that matches a blackhole or loopback route to the CPU (host).

2 drop traffic that matches a blackhole or loopback route.

For example, use the following command to send traffic that matches a blackhole route to the CPU:

diagnose npd debug cmd 14 28 1

Use the following command to set loopback routing to drop:

diagnose npd debug cmd 14 29 2

Viewing the NP7 hyperscale policy engine routing configuration

You can use the following diagnose command to view the current NP7 hyperscale policy engine routing configuration. You can also use this command to add and remove routes. Because this is a diagnose command, any changes are reverted to defaults when the FortiGate restarts:

diagnose npd route {lookup | dump | stats| sync | flush | add | del}

lookup lookup route links.

dump list the NP7 policy engine routing table.

stats display route statistics.

sync update the NP7 policy engine routing table to match the CPU kernel routing table.

flush flush the NP7 policy engine routing table.

add add a route to the NP7 policy engine routing table.

del delete a route to the NP7 policy engine routing table.

The syntax for the add and del command is:

diagnose npd route {add | del} <destination> <prefix-length> <gateway> <oif> <table> <scope> <type> <proto> <priority> <tos> <flags>

For blackhole and loopback routes, set <flags> to the following nh_flags values:

  • For blackhole routes the nh_flags value is 0x80.

  • For loopback routes, the nh_flags value is 0x100.

For example, use the following command to add a blackhole route to the NP7 policy engine routing table:

diagnose npd route add 1.1.1.1 24 0.0.0.0 54 254 0 1 11 3333 0 0x80

The following command will delete this route from the NP7 policy engine routing table:

diagnose npd route del 1.1.1.1 24 0.0.0.0 54 254 0 1 11 3333 0 0x80

Previous
Next