Description
This article describes that as of FortiOS 5.6, the new feature HPE feature (Host Protection Engine) is available to protect the CPUs of the FortiGate under DDOS attack, and allow FortiOS to process packets to its maximum capacity.
HPE runs in the NP6 ASIC, hence it is available on NP6 platforms only.
It decodes the incoming packets into several categories and then applies a hardware shaper on each host queue.
A threshold in Packet Per Second can be configured per traffic category.
Traffic categories are:
- TCP SYN.
- TCP.
- UDP.
- ICMP.
- SCTP.
- ESP.
- IP Fragment.
- Other IP.
- ARP.
- Others
It is not possible to enable/disable HPE per traffic category.
Offloaded traffic is not affected by the HPE.
HPE can be used in addition to DoS policies to protect FortiGate.
HPE is not so granular as DoS policies, it should be used as the first level of protection.
DoS policies should be used as a second level of protection using the proper sensors.
Packet flow.
NP6 HPE packet flow and host queues.
Configure HPE separately for each NP6 processor.
Each NP6 processor has multiple host queues and each HPE packets-per-second setting is applied separately to each host queue.
The actual amount of traffic allowed by an HPE threshold depends on the number of host queues that each NP6 processor has.
It is possible to use the following command to see the number of host queues of the NP6 processors in the FortiGate.
For example, for a FortiGate-1500D, the following command output shows that the number of host queues for NP6_0 is 6 (hpe_ring:6).
# diagnose npu np6 hpe 0 | grep
ring HPE HW pkt_credit:20000 , tsref_inv:60000, tsref_gap:4 , np:0, hpe_type_max:200000, hpe_ring:6
Based on the number of host queues, it is possible to calculate the total number of packets per second allowed for a given HPE threshold for an NP6 processor.
For example, on the FortiGate-1500D, interfaces port1-8, port17-24 and port33-36 are connected to NP6_0.
The default HPE tcpsyn-max setting of 600000 for NP6_0, limits the total number of TCP_SYN host packets per second that these interfaces can process to 600000 x 6 = 3,600,000 host packets per second.
Scope
FortiGate with NP6 processors.
Solution
HPE is enabled per NP6 processor.
Some platforms have multiple NP6 processors, on these platforms know that the NP6 port mapping applies the HPE configuration to the proper NP6.
It is also important to know the number of host queues per NP6.
The following command can be used to find the NP6 / external port mapping:
# diagnose npu np6 port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
------ ---- ------- ----- ----------
np6_0 0 port1 10G Yes
0 port6 10G Yes
1 port2 10G Yes
1 port5 10G Yes
2 port3 10G Yes
2 port8 10G Yes
3 port4 10G Yes
3 port7 10G Yes
------ ---- ------- ----- ----------
np6_1 0 port10 10G Yes
0 port13 10G Yes
1 port9 10G Yes
1 port14 10G Yes
2 port12 10G Yes
2 port15 10G Yes
3 port11 10G Yes
3 port16 10G Yes
------ ---- ------- ----- ----------
In the above example, the external interface (Interface facing) is port1.
In order to protect the FortiGate against a DDOS attack coming from the Internet, the HPE configuration needs to be applied under NP6 0.
# config system np6
edit "np6_0"
config hpe
set type-shaping-tcpsyn-max <threshold 10000 - 4000000000 pps>
set type-shaping-tcp-max <threshold 10000 - 4000000000 pps>
set type-shaping-udp-max <threshold 10000 - 4000000000 pps>
set type-shaping-icmp-max <threshold 10000 - 40000000000 pps>
set type-shaping-sctp-max <threshold 10000 - 4000000000 pps>
set type-shaping-ipsec-esp-max <threshold 10000 - 4000000000 pps>
set type-shaping-ip-frag-max <threshold 10000 - 4000000000 pps>]
set type-shaping-ip-others-max <threshold 10000 - 4000000000 pps>
set type-shaping-arp-max <threshold 10000 - 4000000000 pps>
set type-shaping-others-max <threshold 10000 - 4000000000 pps>
set type-shaper enable
end
end
The following command can also be used to find the number of host queues :
# diag hardware sysinfo interrupts | grep -c np6_0-tx-rx
20
This unit has 20 host queues per NP6.
The FortiGate-3600E has six NP6 processors and each NP6 processor has 20 host queues.
All front panel data interfaces are connected to all NP6 processors over the integrated switch fabric.
The default tcpsyn-ack-max setting of 600000 limits the of total number of TCP SYN_ACK host packets per second that the FortiGate-3600E can process to 600000 x 20 x 6 = 72,000,000 TCP SYN_ACK host packets per second.
The threshold should be chosen according to the traffic pattern and the platform characteristics.
Related documents.
NP6 HPE host protection engine (updated for FortiOS 7.0):
The FortiOS 7.0 NP6 HPE includes new functionality for configuring more HPE packet types and for HPE monitoring.