NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 processors now include HPE functionality that can protect networks from DoS attacks by categorize incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks. You can use the options in the following CLI command to limit the number packets per second received for various packet types by each NP6 processor. This rate limiting is applied very efficiently because it is done in hardware by the NP6 processor.

HPE protection is disable by default. You can use the following command to enable HPE protection for the NP6_0 NP6 processor:

config system np6 edit np6_0 config hpe set type-shaper enable

end

HPE can be enabled and configured separately for each NP6 processor. When enabled, the default configuration is designed to provide basic DoS protection. You can use the following command to adjust the HPE settings in real time if you network is experiencing an attack. For example, the following command allows you to configure HPE settings for np6_0.

config system np6 edit np6_0 config hpe set type-shaping-tcpsyn-max set type-shaping-tcp-max set type-shaping-udp-max set type-shaping-icmp-max set type-shaping-sctp-max set type-shaping-ipsec-esp-max set type-shaping-ip-frag-max set type-shaping-ip-others-max set type-shaping-arp-max set type-shaping-others-max

end Where:

type-shaping-tcpsyn-max applies shaping based on the maximum number of TCP SYN packets received per second. The range is 10,000 to 10,000,000,000 pps. The default limits the number os packets per second to 5,000,000 pps.

type-shaping-tcp-max applies shaping based on the maximum number of TCP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-udp-max applies shaping based on the maximum number of UDP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-icmp-max applies shaping based on the maximum number of ICMP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

 

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)                                                     GUI

type-shaping-sctp-max applies shaping based on the maximum number of SCTP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ipsec-esp-max NPU HPE shaping based on the maximum number of IPsec ESP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ip-frag-max applies shaping based on the maximum number of fragmented IP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps..

type-shaping-ip-others-max applies shaping based on the maximum number of other IP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-arp-max applies shaping based on the maximum number of ARP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-others-max applies shaping based on the maximum number of other layer 2 packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

(5.6.1)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website