FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that as of FortiOS 5.6, the new feature HPE feature (Host Protection Engine) is available to protect the CPUs of the FortiGate under DDOS attack, and allow FortiOS to process packets to its maximum capacity.
HPE runs in the NP6 ASIC, hence it is available on NP6 platforms only.
It decodes the incoming packets into several categories and then applies a hardware shaper on each host queue.
A threshold in Packet Per Second can be configured per traffic category.
Traffic categories are:
- TCP SYN.
- IP Fragment.
- Other IP.
It is not possible to enable/disable HPE per traffic category.
Offloaded traffic is not affected by the HPE.
HPE can be used in addition to DoS policies to protect FortiGate.
HPE is not so granular as DoS policies, it should be used as the first level of protection.
DoS policies should be used as a second level of protection using the proper sensors.
NP6 HPE packet flow and host queues.
Configure HPE separately for each NP6 processor.
Each NP6 processor has multiple host queues and each HPE packets-per-second setting is applied separately to each host queue.
The actual amount of traffic allowed by an HPE threshold depends on the number of host queues that each NP6 processor has.
It is possible to use the following command to see the number of host queues of the NP6 processors in the FortiGate.
For example, for a FortiGate-1500D, the following command output shows that the number of host queues for NP6_0 is 6 (hpe_ring:6).
The FortiGate-3600E has six NP6 processors and each NP6 processor has 20 host queues.
All front panel data interfaces are connected to all NP6 processors over the integrated switch fabric.
The default tcpsyn-ack-max setting of 600000 limits the of total number of TCP SYN_ACK host packets per second that the FortiGate-3600E can process to 600000 x 20 x 6 = 72,000,000 TCP SYN_ACK host packets per second.
The threshold should be chosen according to the traffic pattern and the platform characteristics.
NP6 HPE host protection engine (updated for FortiOS 7.0):
The FortiOS 7.0 NP6 HPE includes new functionality for configuring more HPE packet types and for HPE monitoring.
NP7 HPE host protection engine (added to FortiOS 6.2.9 and 6.4.6): The FortiOS 6.2.9 and 6.4.6 NP7 HPE includes new functionality for applying one HPE setting for all traffic types, for configuring more HPE packet types, and for HPE monitoring.