FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197243



This article describes that as of FortiOS 5.6, the new feature HPE feature (Host Protection Engine) is available to protect the CPUs of the FortiGate under DDOS attack, and allow FortiOS to process packets to its maximum capacity. 
HPE runs in the NP6 ASIC, hence it is available on NP6 platforms only. 
It decodes the incoming packets into several categories and then applies a hardware shaper on each host queue.
A threshold in Packet Per Second can be configured per traffic category.
Traffic categories are:


- TCP.

- UDP.



- ESP.

- IP Fragment.

- Other IP.

- ARP.

- Others


It is not possible to enable/disable HPE per traffic category.

Offloaded traffic is not affected by the HPE.

HPE can be used in addition to DoS policies to protect FortiGate. 
HPE is not so granular as DoS policies, it should be used as the first level of protection. 
DoS policies should be used as a second level of protection using the proper sensors.

Packet flow.



NP6 HPE packet flow and host queues.
Configure HPE separately for each NP6 processor.
Each NP6 processor has multiple host queues and each HPE packets-per-second setting is applied separately to each host queue. 
The actual amount of traffic allowed by an HPE threshold depends on the number of host queues that each NP6 processor has.
It is possible to use the following command to see the number of host queues of the NP6 processors in the FortiGate.
For example, for a FortiGate-1500D, the following command output shows that the number of host queues for NP6_0 is 6 (hpe_ring:6).
# diagnose npu np6 hpe 0 | grep
ring HPE HW pkt_credit:20000 , tsref_inv:60000, tsref_gap:4 , np:0, hpe_type_max:200000, hpe_ring:6
Based on the number of host queues, it is possible to calculate the total number of packets per second allowed for a given HPE threshold for an NP6 processor.
For example, on the FortiGate-1500D, interfaces port1-8, port17-24 and port33-36 are connected to NP6_0.
The default HPE tcpsyn-max setting of 600000 for NP6_0, limits the total number of TCP_SYN host packets per second that these interfaces can process to 600000 x 6 = 3,600,000 host packets per second.



FortiGate with NP6 processors.



HPE is enabled per NP6 processor.
Some platforms have multiple NP6 processors, on these platforms know that the NP6 port mapping applies the HPE configuration to the proper NP6.
It is also important to know the number of host queues per NP6.

The following command can be used to find the NP6 / external port mapping:
# diagnose npu np6 port-list
Chip   XAUI Ports            Max   Cross-chip
                             Speed offloading
------ ---- -------          ----- ----------
np6_0  0    port1            10G   Yes 
             0    port6            10G   Yes 
             1    port2            10G   Yes 
             1    port5            10G   Yes 
             2    port3            10G   Yes 
             2    port8            10G   Yes 
             3    port4            10G   Yes 
             3    port7            10G   Yes 
      ------ ---- -------          ----- ----------
np6_1  0    port10           10G   Yes  
            0    port13           10G   Yes  
            1    port9            10G   Yes  
            1    port14           10G   Yes  
            2    port12           10G   Yes  
            2    port15           10G   Yes  
            3    port11           10G   Yes  
            3    port16           10G   Yes  
     ------ ---- -------          ----- ----------
In the above example, the external interface (Interface facing) is port1.

In order to protect the FortiGate against a DDOS attack coming from the Internet, the HPE configuration needs to be applied under NP6 0.
# config system np6
edit "np6_0"
config hpe
            set type-shaping-tcpsyn-max <threshold 10000 - 4000000000 pps>
            set type-shaping-tcp-max <threshold 10000 - 4000000000 pps>
            set type-shaping-udp-max <threshold 10000 - 4000000000 pps>
            set type-shaping-icmp-max <threshold 10000 - 40000000000 pps>
            set type-shaping-sctp-max <threshold 10000 - 4000000000 pps>
           set type-shaping-ipsec-esp-max <threshold 10000 - 4000000000 pps>
            set type-shaping-ip-frag-max <threshold 10000 - 4000000000 pps>]
           set type-shaping-ip-others-max <threshold 10000 - 4000000000 pps>
            set type-shaping-arp-max <threshold 10000 - 4000000000 pps>
            set type-shaping-others-max <threshold 10000 - 4000000000 pps>
            set type-shaper enable
The following command can also be used to find the number of host queues :
# diag hardware sysinfo interrupts | grep -c np6_0-tx-rx
This unit has 20 host queues per NP6.
The FortiGate-3600E has six NP6 processors and each NP6 processor has 20 host queues.
All front panel data interfaces are connected to all NP6 processors over the integrated switch fabric.
The default tcpsyn-ack-max setting of 600000 limits the of total number of TCP SYN_ACK host packets per second that the FortiGate-3600E can process to 600000 x 20 x 6 = 72,000,000 TCP SYN_ACK host packets per second.
The threshold should be chosen according to the traffic pattern and the platform characteristics.
Related documents.
NP6 HPE host protection engine (updated for FortiOS 7.0):

The FortiOS 7.0 NP6 HPE includes new functionality for configuring more HPE packet types and for HPE monitoring.

NP7 HPE host protection engine (added to FortiOS 6.2.9 and 6.4.6):
The FortiOS 6.2.9 and 6.4.6 NP7 HPE includes new functionality for applying one HPE setting for all traffic types, for configuring more HPE packet types, and for HPE monitoring.