NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 processors now include HPE functionality that can protect networks from DoS attacks by categorize incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks. You can use the options in the following CLI command to limit the number packets per second received for various packet types by each NP6 processor. This rate limiting is applied very efficiently because it is done in hardware by the NP6 processor.

HPE protection is disable by default. You can use the following command to enable HPE protection for the NP6_0 NP6 processor:

config system np6 edit np6_0 config hpe set type-shaper enable

end

HPE can be enabled and configured separately for each NP6 processor. When enabled, the default configuration is designed to provide basic DoS protection. You can use the following command to adjust the HPE settings in real time if you network is experiencing an attack. For example, the following command allows you to configure HPE settings for np6_0.

config system np6 edit np6_0 config hpe set type-shaping-tcpsyn-max set type-shaping-tcp-max set type-shaping-udp-max set type-shaping-icmp-max set type-shaping-sctp-max set type-shaping-ipsec-esp-max set type-shaping-ip-frag-max set type-shaping-ip-others-max set type-shaping-arp-max set type-shaping-others-max

end Where:

type-shaping-tcpsyn-max applies shaping based on the maximum number of TCP SYN packets received per second. The range is 10,000 to 10,000,000,000 pps. The default limits the number os packets per second to 5,000,000 pps.

type-shaping-tcp-max applies shaping based on the maximum number of TCP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-udp-max applies shaping based on the maximum number of UDP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-icmp-max applies shaping based on the maximum number of ICMP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

 

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)                                                     GUI

type-shaping-sctp-max applies shaping based on the maximum number of SCTP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ipsec-esp-max NPU HPE shaping based on the maximum number of IPsec ESP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ip-frag-max applies shaping based on the maximum number of fragmented IP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps..

type-shaping-ip-others-max applies shaping based on the maximum number of other IP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-arp-max applies shaping based on the maximum number of ARP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-others-max applies shaping based on the maximum number of other layer 2 packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

(5.6.1)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.