Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

diagnose npu np6 session-stats (number of NP6 IPv4 and IPv6 sessions)

Leave a reply

diagnose npu np6 session-stats <np6-id> (number of NP6 IPv4 and IPv6 sessions)

You can use the diagnose npu np6 portlist command to list the NP6-ids and the interfaces that each NP6 is connected to. The <np6-id> of np6_0 is 0, the <np6-id> of np6_1 is 1 and so on. The diagnose npu np6 session-stats <np6-id> command output incudes the following headings:

  • ins44 installed IPv4 sessions
  • ins46 installed NAT46 sessions
  • del4 deleted IPv4 and NAT46 sessions
  • ins64 installed NAT64 sessions
  • ins66 installed IPv6 sessions
  • del6 deleted IPv6 and NAT64 sessions
  • e is the error counter for each session type

diagnose npu np6 session-stats 0

qid   ins44      ins46      del4       ins64      ins66      del6 ins44_e    ins46_e    del4_e     ins64_e    ins66_e    del6_e

0 94 0 44 0 40 30
  0 0 0 0 0 0
1 84 0 32 0 30 28
  0 0 0 0 0 0
2 90 0 42 0 40 30
  0 0 0 0 0 0
3 86 0 32 0 24 27
  0 0 0 0 0 0
4 72 0 34 0 34 28
  0 0 0 0 0 0
5 86 0 30 0 28 32
  0 0 0 0 0 0
6 82 0 38 0 32 34
  0 0 0 0 0 0
7 86 0 30 0 30 30
  0 0 0 0 0 0
8 78 0 26 0 36 26
  0 0 0 0 0 0
9 86 0 34 0 32 32
  0 0 0 0 0 0
—————- ———- ———- ———- ———- ———-
Total 844 0 342 0 326 297
0 0 0 0 0 0
—————- ———- ———- ———- ———- ———-

 

 

Using the diagnose sys session/session6 list command

Leave a reply

Using the diagnose sys session/session6 list command

The diagnose sys session list and diagnose sys session6 list commands list all of the current IPv4 or IPv6 sessions being processed by the FortiGate. For each session the command output includes an npu info line that displays NPx offloading information for the session. If a session is not offloaded the command output includes a no_ofld_reason line that indicates why the session was not offloaded.

 

Displaying NP6 offloading information for a session

The npu info line of the diagnose sys session list command includes information about the offloaded session that indicates the type of processor and whether its IPsec or regular traffic:

  • offload=1/1 for NP1(FA1) sessions. l  offload=2/2 for NP1(FA2) sessions. l  offload=3/3 for NP2 sessions.
  • offload=4/4 for NP4 sessions.
  • offload=5/5 for XLR sessions.
  • offload=6/6 for Nplite/NP4lite sessions.
  • offload=7/7 for XLP sessions.
  • offload=8/8 for NP6 sessions.
  • flag 0x81 means regular traffic.
  • flag 0x82 means IPsec traffic.

Example offloaded IPv4 NP6 session

The following session output by the diagnose sys session list command shows an offloaded session. The information in the npu info line shows this is a regular session (flag=0x81/0x81) that is offloaded by an NP6 processor (offload=8/8).

diagnose sys session list

session info: proto=6 proto_state=01 duration=4599 expire=2753 timeout=3600 flag- s=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu none log-start

statistic(bytes/packets/allow_err): org=1549/20/1 reply=1090/15/1 tuples=2 speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=15->17/17->15 gwy=172.20.121.2/5.5.5.33

hook=post dir=org act=snat 5.5.5.33:60656->91.190.218.66:12350 (172.20.121.135:60656)

hook=pre dir=reply act=dnat 91.190.218.66:12350->172.20.121.135:60656 (5.5.5.33:60656)

pos/(before,after) 0/(0,0), 0/(0,0)

src_mac=98:90:96:af:89:b9

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=00058b9c tos=ff/ff app_list=0 app=0 url_cat=0

dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=140/138, ipid=138/140, vlan=0x0000/0x0000

vlifid=138/140, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/2

 

Example IPv4 session that is not offloaded

The following session, output by the diagnose sys session list command includes the no_ofld_reason line that indicates that the session was not offloaded because it is a local-in session.

session info: proto=6 proto_state=01 duration=19 expire=3597 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8 state=local may_dirty

statistic(bytes/packets/allow_err): org=6338/15/1 reply=7129/12/1 tuples=2 speed(Bps/kbps): 680/5

orgin->sink: org pre->in, reply out->post dev=15->50/50->15 gwy=5.5.5.5/0.0.0.0 hook=pre dir=org act=noop 5.5.5.33:60567->5.5.5.5:443(0.0.0.0:0)

hook=post dir=reply act=noop 5.5.5.5:443->5.5.5.33:60567(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

src_mac=98:90:96:af:89:b9

misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=000645d8 tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0

npu_state=00000000

no_ofld_reason:  local

 

Example IPv4 IPsec NP6 session

diagnose sys session list

session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flag- s=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/p1-vdom2 state=re may_dirty npu

statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=57->7/7->57 gwy- y=10.1.100.11/11.11.11.1

hook=pre dir=org act=noop 172.16.200.55:35254->10.1.100.11:80(0.0.0.0:0) hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:35254(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4 serial=00002d29 tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=172.16.200.55, bps=260 npu_state=00000000

npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=1/3, ipid=3/1, vlan- n=32779/0

 

Example IPv6 NP6 session

diagnose sys session6 list

session6 info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flag- s=00000000 sockport=0 sockflag=0 use=3

origin-shaper= reply-shaper= per_ip_shaper= ha_id=0

policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=152/2/0 reply=152/2/0 tuples=2 speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=13->14/14->13

hook=pre dir=org act=noop 2000:172:16:200::55:59145 ->2000:10:1:100::11:80(:::0) hook=post dir=reply act=noop 2000:10:1:100::11:80 ->2000:172:16:200::55:59145 (:::0)

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000027a npu_state=0x000c00

npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=137/136, ipid- d=136/137, vlan=0/0

 

Example NAT46 NP6 session

diagnose sys session list

session info: proto=6 proto_state=01 duration=19 expire=3580 timeout=3600 flag- s=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=npu nlb

statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2 speed(Bps/kbps): 0/0

orgin->sink: org nataf->post, reply pre->org dev=52->14/14->52 gwy- y=0.0.0.0/10.1.100.1

hook=5 dir=org act=noop 10.1.100.1:21937->10.1.100.11:80(0.0.0.0:0)

hook=6 dir=reply act=noop 10.1.100.11:80->10.1.100.1:21937(0.0.0.0:0)

hook=pre dir=org act=noop 2000:172:16:200::55:33945 ->64:ff9b::a01:640b:80(:::0) hook=post dir=reply act=noop 64:ff9b::a01:640b:80 ->2000:172:16:200::55:33945 (:::0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=04051aae tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_mode=0

npu_state=00000000

npu info: flag=0x81/0x00, offload=0/8, ips_offload=0/0, epid=0/136, ipid=0/137, vlan=0/0

 

Example NAT64 NP6 session

diagnose sys session6 list

session6 info: proto=6 proto_state=01 duration=36 expire=3563 timeout=3600 flag- s=00000000 sockport=0 sockflag=0 use=3

origin-shaper= reply-shaper= per_ip_shaper= ha_id=0

policy_dir=0 tunnel=/

state=may_dirty npu nlb

statistic(bytes/packets/allow_err): org=72/1/0 reply=152/2/0 tuples=2 speed(Bps/kbps): 0/0

orgin->sink: org pre->org, reply nataf->post dev=13->14/14->13

hook=pre dir=org act=noop 2000:172:16:200::55:33945 ->64:ff9b::a01:640b:80(:::0) hook=post dir=reply act=noop 64:ff9b::a01:640b:80 ->2000:172:16:200::55:33945 (:::0)

hook=5 dir=org act=noop 10.1.100.1:21937->10.1.100.11:80(0.0.0.0:0) hook=6 dir=reply act=noop 10.1.100.11:80->10.1.100.1:21937(0.0.0.0:0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000027b npu_state=00000000

npu info: flag=0x00/0x81, offload=8/0, ips_offload=0/0, epid=137/0, ipid=136/0, vlan=0/0

 

Using diagnose npu np6 npu-feature to verify enabled NP6 features

Leave a reply

Using diagnose npu np6 npu-feature to verify enabled NP6 features

You can use the diagnose npu np6 npu-feature command to see what NP6 features are enabled and which are not. The following command output shows the normal default NP6 configuration for most FortiGates. In this output all features are enabled except low latency features and GRE offloading. Low latency is only available on the FortiGate-3700D and DX models and GRE offloading will become available in a future FortiOS release. The following output is from a FortiGate-1500D

 

diagnose npu np6 npu-feature

np_0      np_1

——————- ——— ——— Fastpath            Enabled   Enabled Low-latency-mode    Disabled  Disabled

Low-latency-cap     No        No

IPv4 firewall Yes Yes
IPv6 firewall Yes Yes
IPv4 IPSec Yes Yes
IPv6 IPSec Yes Yes
IPv4 tunnel Yes Yes
IPv6 tunnel Yes Yes
GRE tunnel No No
IPv4 Multicast Yes Yes
IPv6 Multicast Yes Yes
CAPWAP Yes Yes

If you use the following command to disable fastpath for np_0:

config system np6 edit np6_0

set fastpath disable end

The npu-feature command output show this configuration change:

diagnose npu np6 npu-feature

np_0      np_1

IPv4 firewall Yes Yes
IPv6 firewall Yes Yes
IPv4 IPSec Yes Yes
IPv6 IPSec Yes Yes
IPv4 tunnel Yes Yes
IPv6 tunnel Yes Yes
GRE tunnel No No
IPv4 Multicast Yes Yes
IPv6 Multicast Yes Yes
CAPWAP Yes Yes

 

——————- ——— ——— Fastpath            Disabled  Enabled Low-latency-mode    Disabled  Disabled Low-latency-cap     No        No

 

Hardware acceleration get and diagnose commands

Leave a reply

Hardware acceleration get and diagnose commands

This section describes some get and diagnose commands you can use to display useful information about the NP6 processors sessions processed by NP6 processors.

get hardware npu np6

You can use the get hardware npu np6 command to display information about the NP6 processors in your FortiGate and the sessions they are processing. This command contains a subset of the options available from the diagnose npu np6 command. The command syntax is:

get hardware npu np6 {dce <np6-id> | ipsec-stats | port-list | session-stats <np6-id> |

sse-stats <np6-id> | synproxy-stats}

 

<np6-id> identifies the NP6 processor. 0 is np6_0, 1 is np6_1 and so on. dce show NP6 non-zero sub-engine drop counters for the selected NP6. ipsec-stats show overall NP6 IPsec offloading statistics.

port-list show the mapping between the FortiGate’s physical ports and its NP6 processors.

session-stats show NP6 session offloading statistics counters for the selected NP6.

sse-stats show hardware session statistics counters.

synproxy-stats show overall NP6 synproxy statistics for TCP connections identified as being syn proxy DoS attacks.

 

diagnose npu np6

The diagnose npu np6 command displays extensive information about NP6 processors and the sessions that they are processing. Some of the information displayed can be useful for understanding the NP6 configuration, seeing how sessions are being processed and diagnosing problems. Some of the commands may only be useful for Fortinet software developers. The command syntax is:

diagnose npu np6 {options}

The following options are available:

fastpath {disable | enable} <np6-od> enable or disable fastpath processing for a selected NP6.

dce shows NP6 non-zero sub-engine drop counters for the selected NP6.

dce-all show all subengine drop counters.

anomaly-drop show non-zero L3/L4 anomaly check drop counters. anomaly-drop-all show all L3/L4 anomaly check drop counters. hrx-drop show non-zero host interface drop counters.

hrx-drop-all show all host interface drop counters. session-stats show session offloading statistics counters. session-stats-clear clear sesssion offloading statistics counters. sse-stats show hardware session statistics counters.

sse-stats-clear show hardware session statistics counters.

pdq show packet buffer queue counters.

xgmac-stats show XGMAC MIBs counters.

xgmac-stats-clear clear XGMAC MIBS counters.

port-list show port list.

ipsec-stats show IPsec offloading statistics.

ipsec-stats-clear clear IPsec offloading statistics.

eeprom-read read NP6 EEPROM.

npu-feature show NPU feature and status.

register show NP6 registers.

fortilink configure fortilink.

synproxy-stats show synproxy statistics.

 

Setting switch-mode mapping on the ADM-XD4

Leave a reply

Setting switch-mode mapping on the ADM-XD4

The ADM-XD4 SP has four 10Gb/s ports, but the NP4 processor it contains has only two 10Gb/s ports. The external ports you use are important to optimize the SP for your application.

 

ADMXD4 mapping mode

Ports 1 and 3 share one NP4 processor and ports 2 and 4 share the other. Performance ports sharing the same NP4 processor is far better than when forcing network data to move between NP4 processors by using one port from each, for example ports 1 and 2 or ports 3 and 4.

 

FortiGate NP4 architectures

Leave a reply

FortiGate NP4 architectures

This chapter shows the NP4 architecture for the all FortiGate units and modules that include NP4 processors.

 

FortiGate600C

The FortiGate-600C features one NP4 processor. All the ports are connected to this NP4 over the Integrated Switch Fabric. Port1 and port2 are dual failopen redundant RJ-45 ports. Port3-port22 are RJ-45 ethernet ports, and there are four 1Gb SFP interface ports duplicating the port19-port22 connections.

 

FortiGate800C

The FortiGate-800C features one NP4 processor. All the ports are connected to this NP4. Port1 and port2 are dual failopen redundant RJ-45 ports. Port3-port22 are RJ-45 ethernet ports, and there are eight 1Gb SFP interface ports duplicating the port15-18 and port19-port22 connections. There are also two 10Gb SFP+ ports, port23 and port24.

 

FortiGate1000C

The FortiGate-1000C features one NP4 processor. All the ports are connected to this NP4. Port1 and port2 are dual failopen redundant RJ-45 ports. Port3-port22 are RJ-45 ethernet ports, and there are eight 1Gb SFP interface ports duplicating the port15-18 and port19-port22 connections. There are also two 10Gb SFP+ ports, port23 and port24.

 

FortiGate1240B

The FortiGate-1240B features two NP4 processors:

  • Port1 to port24 are 1Gb SFP interfaces connected to one NP4 processor.
  • Port25 to port38 are RJ-45 ethernet ports, connected to the other NP4 processor.
  • Port39 and port40 are not connected to an NP4 processor.

 

Integrated Switch Fabric

FortiASIC NP4

FortiASIC NP4

System Bus

CP6

CPU

 

FortiGate3040B

The FortiGate-3040B features two NP4 processors:

  • The 10Gb interfaces, port1, port2, port3, port4, and the 1Gb interfaces, port9, port10, port11, port12, port13, share connections to one NP4 processor.
  • The 10Gb interfaces, port5, port6, port7, port8, and the 1Gb interfaces, port14, port15, port16, port17, port18, share connections to the other NP4 processor.

 

FortiGate  3040B

STATUS ALARM HA POWER

NP4-1      NP4-2

CONSOLE

10G SFP+

1                    3                    5                       7

2                    4                    6                       8

9                     11                   13

10                   12                   14

15                  17

16                  18

FSM1

FSM2

SHUT DO WN

FSM3

FSM4

Integrated Switch Fabric

FortiASIC NP4

FortiASIC NP4

System Bus

CP7

CPU

Pages: 1 2 3 4 5 6

Offloading NP4 anomaly detection

Leave a reply

Offloading NP4 anomaly detection

Network interfaces associated with a port attached to an NP4 processor can be configured to offload anomaly checking to the NP4 processor. This anomaly checking happens before other offloading and separately from DoS policy anomaly checking. Using the following command, each FortiGate interface can have a different anomaly checking configuration even if they are connected to the same NP4 processor.

The options available for this command apply anomaly checking for NP4 sessions in the same way as the command descrbed in Configuring individual NP6 processors on page 1215 applies anomaly checking for for NP6 sessions.

 

config system interface edit <port-name>

set fp-anomaly <anomalies>

end

where <anomalies> can be one, more than one or all of the following:

 

Anomaly                  Description

drop_icmp_frag         Drop ICMP fragments to pass.

drop_icmpland           Drop ICMP Land.

drop_ipland                Drop IP Land.

drop_iplsrr                  Drop IP with Loose Source Record Route option.

drop_iprr                    Drop IP with Record Route option.

drop_ipsecurity          Drop IP with Security option.

drop_ipssrr                 Drop IP with Strict Source Record Route option.

drop_ipstream            Drop IP with Stream option.

drop_iptimestamp     Drop IP with Timestamp option.

 

Anomaly                  Description

drop_ipunknown_

option

Drop IP with malformed option.
drop_ipunknown_

prot

drop_tcp_fin_

noack

Drop IP with Unknown protocol.

Drop TCP FIN with no ACT flag set to pass.

drop_tcp_no_flag       Drop TCP with no flag set to pass.

drop_tcpland              Drop TCP Land.

drop_udpland             Drop UDP Land.

drop_winnuke            Drop TCP WinNuke.

pass_icmp_frag         Allow ICMP fragments to pass.

pass_icmpland           Allow ICMP Land to pass.

pass_ipland               Allow IP land to pass.

pass_iplsrr                 Allow IP with Loose Source Record Route option to pass.

pass_iprr                    Allow IP with Record Route option to pass.

pass_ipsecurity          Allow IP with Security option to pass.

pass_ipssrr                 Allow IP with Strict Source Record Route option to pass.

pass_ipstream           Allow IP with Stream option to pass.

pass_iptimestamp     Allow IP with Timestamp option to pass.

pass_ipunknown_

option

Allow IP with malformed option to pass.

pass_ipunknown_

prot

pass_tcp_fin_

noack

Allow IP with Unknown protocol to pass.

Allow TCP FIN with no ACT flag set to pass.

pass_tcp_no_flag      Allow TCP with no flag set to pass.

 

Anomaly                  Description

pass_tcpland             Allow TCP Land to pass.

pass_udpland            Allow UDP Land to pass.

pass_winnuke            Allow TCP WinNuke to pass.

Example

You might configure an NP4 to drop packets with TCP WinNuke or unknown IP protocol anomalies, but to pass packets with an IP time stamp, using hardware acceleration provided by the network processor.

config system interface edit port1

set fp-anomaly drop_winnuke drop_ipunknown_prot pass_iptimestamp end

 

Confirm that the traffic is accelerated

Leave a reply

Confirm that the traffic is accelerated

Use the following CLI commands to obtain the interface index and then correlate them with the session entries. In the following example traffic was flowing between new accelerated inter-VDOM links and physical ports port1 and port 2 also attached to the NP4 processor.

diagnose ip address list

IP=172.31.17.76->172.31.17.76/255.255.252.0 index=5 devname=port1

IP=10.74.1.76->10.74.1.76/255.255.252.0 index=6 devname=port2

IP=172.20.120.12->172.20.120.12/255.255.255.0 index=55 devname=IVL-VLAN1_ROOT IP=172.20.120.22->172.20.120.22/255.255.255.0 index=56 devname=IVL-VLAN1_VDOM1

 

diagnose sys session list

session info: proto=1 proto_state=00 duration=282 expire=24 timeout=0 session info: proto=1 proto_state=00 duration=124 expire=59 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=180/3/1 reply=120/2/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=55->5/5->55

gwy=172.31.19.254/172.20.120.22

hook=post dir=org act=snat 10.74.2.87:768->10.2.2.2:8(172.31.17.76:62464) hook=pre dir=reply act=dnat 10.2.2.2:62464->172.31.17.76:0(10.74.2.87:768) misc=0 policy_id=4 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=0000004e tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=10.74.2.87, bps=880 npu_state=00000000

npu info: flag=0x81/0x81, offload=4/4, ips_offload=0/0, epid=160/218, ipid=218/160, vlan=32769/0

 

session info: proto=1 proto_state=00 duration=124 expire=20 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=180/3/1 reply=120/2/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=6->56/56->6 gwy=172.20.120.12/10.74.2.87

hook=pre dir=org act=noop 10.74.2.87:768->10.2.2.2:8(0.0.0.0:0) hook=post dir=reply act=noop 10.2.2.2:768->10.74.2.87:0(0.0.0.0:0) misc=0 policy_id=3 id_policy_id=0 auth_info=0 chk_client_info=0 vd=1 serial=0000004d tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=10.74.2.87, bps=880 npu_state=00000000

npu info: flag=0x81/0x81, offload=4/4, ips_offload=0/0, epid=219/161, ipid=161/219, vlan=0/32769

total session 2