Description
This article describes that as of FortiOS 5.6, the new feature HPE feature (Host Protection Engine) is available to protect the CPUs of the FortiGate under DDOS attack and allow FortiOS to process packets to its maximum capacity.
HPE runs in the NP6 ASIC, hence it is available on NP6 platforms only. It decodes the incoming packets into several categories and then applies a hardware shaper on each host queue. A threshold in Packet Per Second can be configured per traffic category. Traffic categories are:
- TCP SYN.
- TCP.
- UDP.
- ICMP.
- SCTP.
- ESP.
- IP Fragment.
- Other IP.
- ARP.
- Others.
It is not possible to enable/disable HPE per traffic category.
Offloaded traffic is not affected by the HPE.
HPE can be used in addition to DoS policies to protect FortiGate.
HPE is not as granular as DoS policies, it should be used as the first level of protection.
DoS policies should be used as a second level of protection, using the proper sensors.
Packet flow.
Packet flow.
NP6 HPE packet flow and host queues.
Configure HPE separately for each NP6 processor.
Each NP6 processor has multiple host queues, and each HPE packets-per-second setting is applied separately to each host queue.
The actual amount of traffic allowed by an HPE threshold depends on the number of host queues that each NP6 processor has.
It is possible to use the following command to see the number of host queues of the NP6 processors in the FortiGate.
For example, for a FortiGate-1500D, the following command output shows that the number of host queues for NP6_0 is 6 (hpe_ring:6).
diagnose npu np6 hpe 0 | grep
ring HPE HW pkt_credit:20000 , tsref_inv:60000, tsref_gap:4 , np:0, hpe_type_max:200000, hpe_ring:6
Based on the number of host queues, it is possible to calculate the total number of packets per second allowed for a given HPE threshold for an NP6 processor.
For example, on the FortiGate-1500D, interfaces port1-8, port17-24, and port33-36 are connected to NP6_0.
The default HPE tcpsyn-max setting of 600000 for NP6_0 limits the total number of TCP_SYN host packets per second that these interfaces can process to 600000 x 6 = 3,600,000 host packets per second.
Scope
FortiGate with NP6 processors.
Solution
HPE is enabled per NP6 processor.
Some platforms have multiple NP6 processors, and on these platforms known that the NP6 port mapping applies the HPE configuration to the proper NP6.
It is also important to know the number of host queues per NP6.
The following command can be used to find the NP6 / external port mapping:
The following command can be used to find the NP6 / external port mapping:
diagnose npu np6 port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
------ ---- ------- ----- ----------
np6_0 0 port1 10G Yes
0 port6 10G Yes
1 port2 10G Yes
1 port5 10G Yes
2 port3 10G Yes
2 port8 10G Yes
3 port4 10G Yes
3 port7 10G Yes
------ ---- ------- ----- ----------
np6_1 0 port10 10G Yes
0 port13 10G Yes
1 port9 10G Yes
1 port14 10G Yes
2 port12 10G Yes
2 port15 10G Yes
3 port11 10G Yes
3 port16 10G Yes
------ ---- ------- ----- ----------
In the above example, the external interface (Interface facing) is port1.
To protect the FortiGate against a DDOS attack coming from the Internet, the HPE configuration needs to be applied under NP6 0.
To protect the FortiGate against a DDOS attack coming from the Internet, the HPE configuration needs to be applied under NP6 0.
config system np6
edit "np6_0"
config hpe
set type-shaping-tcpsyn-max <threshold 10000 - 4000000000 pps>
set type-shaping-tcp-max <threshold 10000 - 4000000000 pps>
set type-shaping-udp-max <threshold 10000 - 4000000000 pps>
set type-shaping-icmp-max <threshold 10000 - 40000000000 pps>
set type-shaping-sctp-max <threshold 10000 - 4000000000 pps>
set type-shaping-ipsec-esp-max <threshold 10000 - 4000000000 pps>
set type-shaping-ip-frag-max <threshold 10000 - 4000000000 pps>]
set type-shaping-ip-others-max <threshold 10000 - 4000000000 pps>
set type-shaping-arp-max <threshold 10000 - 4000000000 pps>
set type-shaping-others-max <threshold 10000 - 4000000000 pps>
set type-shaper enable
end
end
For newer FortiOS versions, the syntax has changed as per below:
config system {np6 | np6xlite | np6lite}
edit <np6-processor-name>
config hpe
set enable-shaper {disable | enable}
set tcpsyn-max <packets-per-second>
set tcpsyn-ack-max <packets-per-second>
set tcpfin-rst-max <packets-per-second>
set tcp-max <packets-per-second>
set udp-max <packets-per-second>
set icmp-max <packets-per-second>
set sctp-max <packets-per-second>
set esp-max <packets-per-second>
set ip-frag-max <packets-per-second>
set ip-others-max <packets-per-second>
set arp-max <packets-per-second>
set l2-others-max <packets-per-second>
set pri-type-max <packets-per-second>
end
end
The following command can also be used to find the number of host queues :
diagnose hardware sysinfo interrupts | grep -c np6_0-tx-rx
20
This unit has 20 host queues per NP6.
The FortiGate-3600E has six NP6 processors, and each NP6 processor has 20 host queues.
All front-panel data interfaces are connected to all NP6 processors over the integrated switch fabric.
The default tcpsyn-ack-max setting of 600000 limits the of total number of TCP SYN_ACK host packets per second that the FortiGate-3600E can process to 600000 x 20 x 6 = 72,000,000 TCP SYN_ACK host packets per second.
The threshold should be chosen according to the traffic pattern and the platform characteristics.
FortiOS could help to find the threshold that could be configured under HPE settings.
The following command could be used:
diagnose npu np6 monitor-hpe enable 0
This command will activate monitor mode for HPE feature. It means that the feature will generate event logs for HPE drop without causing the HPE to drop packets.
This command could be used to verify that the HPE is in monitoring mode:
diagnose npu np6 hpe 0 | grep Monitoring
HPE monitoring...
Once the assessment is done, this command will revert to normal operation of the HPE feature:
diagnose npu np6 monitor-hpe disable 0
Related documents.
NP6 HPE host protection engine (updated for FortiOS v7.0):
The FortiOS v7.0 NP6 HPE includes new functionality for configuring more HPE packet types and for HPE monitoring.
NP6 HPE host protection engine
NP7 HPE host protection engine (added to FortiOS v6.2.9 and v6.4.6):
The FortiOS v6.2.9 and v6.4.6 NP7 HPE include new functionality for applying one HPE setting for all traffic types, configuring more HPE packet types, and HPE monitoring.
NP7 HPE host protection engine (added to FortiOS v6.2.9 and v6.4.6):
The FortiOS v6.2.9 and v6.4.6 NP7 HPE include new functionality for applying one HPE setting for all traffic types, configuring more HPE packet types, and HPE monitoring.
