Fortinet black logo

Hyperscale Firewall Release Notes

Home FortiGate / FortiOS 6.2.6 Hyperscale Firewall Release Notes
6.2.6
7.2.4
7.2.3
7.2.2
7.2.1
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Hyperscale firewall CLI changes

Hyperscale firewall CLI changes

When hyperscale firewall features are enabled for your Hyperscale firewall for FortiOS 6.2.6 Build 6988, the CLI has the following changes:

Enable hyperscale firewall features

Use the following global command to enable hyperscale firewall features:

config system npu

set policy-offload-level full-offload

end

Use the following command to enable hyperscale firewall features for the FortiGate or if multiple VDOMs are enabled, to enable or disable hyperscale firewall features for any VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Hyperscale firewall VDOMs require a specific naming convention.

Hyperscale firewall policy

The following hyperscale firewall policy commands are available in a hyperscale firewall VDOM:

config firewall hyperscale-policy

config firewall hyperscale-policy46

config firewall hyperscale-policy6

config firewall hyperscale-policy64

The policy, policy6, policy46, and policy64 commands appear in the CLI but they cannot be configured.

Note

If you are upgrading your hyperscale firewall configuration from FortiOS 6.2.5 to 6.2.6 you must re-configure all of your hyperscale firewall policies using the new 6.2.6 hyperscale firewall policies.

Here is the CLI syntax for the config firewall hyperscale-policy command:

config firewall hyperscale-policy

edit 1

set name <name>

set scrcintf <interface>

set dstintf <interface>

set scraddr <address>

set dstaddr <address>

set action {accept | deny}

set status {enable | disable|

set service <service>

set auto-asic-offload {enable | disable)

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

set cgn-log-server-grp <group-name>

set tcp-timeout-pid <profile>

set udp-timeout-pid <profile>

set ippool {disable | enable}

set poolname <cgn-ippool-name>

set comments <comment>

set srcaddr-negate {disable | enable}

set dstaddr-negate {disable | enable

set service-negate {disable | enable}

set traffic-shaper <shaper>

set traffic-shaper-reverse <shaper>

set nat {disable | enable}

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end

Previous
Next

Hyperscale firewall CLI changes

When hyperscale firewall features are enabled for your Hyperscale firewall for FortiOS 6.2.6 Build 6988, the CLI has the following changes:

Enable hyperscale firewall features

Use the following global command to enable hyperscale firewall features:

config system npu

set policy-offload-level full-offload

end

Use the following command to enable hyperscale firewall features for the FortiGate or if multiple VDOMs are enabled, to enable or disable hyperscale firewall features for any VDOM:

config system settings

set policy-offload-level full-offload

end

Special hyperscale firewall VDOM naming convention

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID number.

The following option can be used to set the VDOM ID range:

config system global

set hyper-scale-vdom-num

end

By default this option is set to 250, allowing you to configure up to 250 hyperscale firewall VDOMs by setting the VDOM in the range of 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM from the global CLI:

config vdom

edit <string>-hw<vdom-id>

For information about how to name hyperscale firewall VDOMs, see Hyperscale firewall VDOMs require a specific naming convention.

Hyperscale firewall policy

The following hyperscale firewall policy commands are available in a hyperscale firewall VDOM:

config firewall hyperscale-policy

config firewall hyperscale-policy46

config firewall hyperscale-policy6

config firewall hyperscale-policy64

The policy, policy6, policy46, and policy64 commands appear in the CLI but they cannot be configured.

Note

If you are upgrading your hyperscale firewall configuration from FortiOS 6.2.5 to 6.2.6 you must re-configure all of your hyperscale firewall policies using the new 6.2.6 hyperscale firewall policies.

Here is the CLI syntax for the config firewall hyperscale-policy command:

config firewall hyperscale-policy

edit 1

set name <name>

set scrcintf <interface>

set dstintf <interface>

set scraddr <address>

set dstaddr <address>

set action {accept | deny}

set status {enable | disable|

set service <service>

set auto-asic-offload {enable | disable)

set cgn-session-quota <quota>

set cgn-resource-quota <quots>

set cgn-eif {disable | enable}

set cgn-eim {disable | enable}

set cgn-log-server-grp <group-name>

set tcp-timeout-pid <profile>

set udp-timeout-pid <profile>

set ippool {disable | enable}

set poolname <cgn-ippool-name>

set comments <comment>

set srcaddr-negate {disable | enable}

set dstaddr-negate {disable | enable

set service-negate {disable | enable}

set traffic-shaper <shaper>

set traffic-shaper-reverse <shaper>

set nat {disable | enable}

end

Hyperscale firewall inter-VDOM link acceleration

You apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end

Previous
Next