Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 6.0.14 Hardware Acceleration
    6.0.14
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    Configuring individual NP6 processors

    Configuring individual NP6 processors

    You can use the config system np6 command to configure a wide range of settings for each of the NP6 processors in your FortiGate unit including enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

    For FortiGates with NP6XLite processors, the config system np6xlite command has similar options.

    For FortiGates with NP6Lite processors, the config system np6lite command has similar options.

    You can also enable and adjust Host Protection Engine (HPE) to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

    The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

    Note

    Some of the options for this command apply anomaly checking for NP6 sessions in the same way as the command described in applies anomaly checking for NP4 sessions.

    config system {np6 | np6xlite | np6lite}

    edit <np6-processor-name>

    set low-latency-mode {disable | enable}

    set per-session-accounting {all-enable | disable | enable-by-log}

    set session-timeout-random-range <range>

    set garbage-session-collector {disable | enable}

    set session-collector-interval <range>

    set session-timeout-interval <range>

    set session-timeout-random-range <range>

    set session-timeout-fixed {disable | enable}

    config hpe

    set tcpsyn-max <packets-per-second>

    set tcp-max <packets-per-second>

    set udp-max <packets-per-second>

    set icmp-max <packets-per-second>

    set sctp-max <packets-per-second>

    set esp-max <packets-per-second>

    set ip-frag-max <packets-per-second>

    set ip-others-max <packets-per-second>

    set arp-max <packets-per-second>

    set l2-others-max <packets-per-second>

    set pri-type-max <packets-per-second>

    set enable-shaper {disable | enable}

    config fp-anomaly

    set tcp-syn-fin {allow | drop | trap-to-host}

    set tcp-fin-noack {allow | drop | trap-to-host}

    set tcp-fin-only {allow | drop | trap-to-host}

    set tcp-no-flag {allow | drop | trap-to-host}

    set tcp-syn-data {allow | drop | trap-to-host}

    set tcp-winnuke {allow | drop | trap-to-host}

    set tcp-land {allow | drop | trap-to-host}

    set udp-land {allow | drop | trap-to-host}

    set icmp-land {allow | drop | trap-to-host}

    set icmp-frag {allow | drop | trap-to-host}

    set ipv4-land {allow | drop | trap-to-host}

    set ipv4-proto-err {allow | drop | trap-to-host}

    set ipv4-unknopt {allow | drop | trap-to-host}

    set ipv4-optrr {allow | drop | trap-to-host}

    set ipv4-optssrr {allow | drop | trap-to-host}

    set ipv4-optlsrr {allow | drop | trap-to-host}

    set ipv4-optstream {allow | drop | trap-to-host}

    set ipv4-optsecurity {allow | drop | trap-to-host}

    set ipv4-opttimestamp {allow | drop | trap-to-host}

    set ipv4-csum-err {drop | trap-to-host}

    set tcp-csum-err {drop | trap-to-host}

    set udp-csum-err {drop | trap-to-host}

    set icmp-csum-err {drop | trap-to-host}

    set ipv6-land {allow | drop | trap-to-host}

    set ipv6-proto-err {allow | drop | trap-to-host}

    set ipv6-unknopt {allow | drop | trap-to-host}

    set ipv6-saddr-err {allow | drop | trap-to-host}

    set ipv6-daddr-err {allow | drop | trap-to-host}

    set ipv6-optralert {allow | drop | trap-to-host}

    set ipv6-optjumbo {allow | drop | trap-to-host}

    set ipv6-opttunnel {allow | drop | trap-to-host}

    set ipv6-opthomeaddr {allow | drop | trap-to-host}

    set ipv6-optnsap {allow | drop | trap-to-host}

    set ipv6-optendpid {allow | drop | trap-to-host}

    set ipv6-optinvld {allow | drop | trap-to-host}

    end

    Command syntax
    Command Description Default
    low-latency-mode {disable | enable} Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode, currently only np6_0 and np6_1 on the FortiGate 3700D and DX. disable
    per-session-accounting {all-enable | disable | enable-by-log} Disable NP6 per-session accounting or enable it and control how it works. If set to enable-by-log (the default) NP6 per-session accounting is only enabled if firewall policies accepting offloaded traffic have traffic logging enabled. If set to all-enable, NP6 per-session accounting is always enabled for all traffic offloaded by the NP6 processor.

    Enabling per-session accounting can affect performance.    		 enable-by-log
    garbage-session-collector {disable | enable} Enable deleting expired or garbage sessions. disable
    session-collector-interval <range> Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. 64
    session-timeout-interval <range> Set the timeout for checking for and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 40
    session-timeout-random-range <range> Set the random timeout for checking and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 8
    session-timeout-fixed {disable | enable} Enable to force checking for and removing inactive NP6 sessions at the session-timeout-interval time interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. disable

    config hpe
    hpe

    The NP6 host protection engine (HPE) uses NP6 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP6 processors from overloading the FortiGate CPU.

    You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds.

    The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

    DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection. DoS policy sessions are not offloaded by NP6 processors.
    enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable
    tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 10,000 to 4,000,000,000 pps. 5000000
    tcp-max Limit the maximum number of TCP packets received per second. The range is 10,000 to 4,000,000,000 pps. 5000000
    udp-max Limit the maximum number of UDP packets received per second. The range is 10,000 to 4,000,000,000 pps. 5000000
    icmp-max Limit the maximum number of ICMP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    sctp-max Limit the maximum number of SCTP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    esp-max Limit the maximum number of ESP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    ip-others-max Limit the maximum number of other types of IP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    arp-max Limit the maximum number of ARP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    l2-others-max Limit the maximum number of other layer-2 packets received. The range is 10,000 to 4,000,000,000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 1000000

    pri-type-max

    Set the maximum overflow limit for high priority traffic. The range is 0 to 1,000,000,000 pps.

    This overflow is applied to the following types of traffic that are treated as high-priority by the NP6 processor:

    • HA heartbeat
    • LACP/802.3ad
    • OSPF
    • BGP
    • IKE
    • SLBC
    • BFD

    This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP6 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP6 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 5000000 + 1000000 = 6000000 pps.

    In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See The HPE and changing BGP, SLBC, and BFD priority for details.

    1000000
    config fp-anomaly
    fp-anomaly Configure how the NP6 processor performs traffic anomaly protection. In most cases you can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection but don't want to use the NP6 processor, you can select trap-to-host and enable anomaly protection with a DoS policy.
    tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
    tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
    tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
    tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
    tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
    tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
    tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
    udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
    icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
    icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
    ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
    ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies.

    For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

    		 trap-to-host
    ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
    ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
    ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
    ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
    ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
    ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
    ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
    tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
    udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
    icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
    ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
    ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
    ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
    ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
    ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
    ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
    ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
    ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
    ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
    ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host
    Previous
    Next

    Configuring individual NP6 processors

    Configuring individual NP6 processors

    You can use the config system np6 command to configure a wide range of settings for each of the NP6 processors in your FortiGate unit including enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

    For FortiGates with NP6XLite processors, the config system np6xlite command has similar options.

    For FortiGates with NP6Lite processors, the config system np6lite command has similar options.

    You can also enable and adjust Host Protection Engine (HPE) to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

    The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

    Note

    Some of the options for this command apply anomaly checking for NP6 sessions in the same way as the command described in applies anomaly checking for NP4 sessions.

    config system {np6 | np6xlite | np6lite}

    edit <np6-processor-name>

    set low-latency-mode {disable | enable}

    set per-session-accounting {all-enable | disable | enable-by-log}

    set session-timeout-random-range <range>

    set garbage-session-collector {disable | enable}

    set session-collector-interval <range>

    set session-timeout-interval <range>

    set session-timeout-random-range <range>

    set session-timeout-fixed {disable | enable}

    config hpe

    set tcpsyn-max <packets-per-second>

    set tcp-max <packets-per-second>

    set udp-max <packets-per-second>

    set icmp-max <packets-per-second>

    set sctp-max <packets-per-second>

    set esp-max <packets-per-second>

    set ip-frag-max <packets-per-second>

    set ip-others-max <packets-per-second>

    set arp-max <packets-per-second>

    set l2-others-max <packets-per-second>

    set pri-type-max <packets-per-second>

    set enable-shaper {disable | enable}

    config fp-anomaly

    set tcp-syn-fin {allow | drop | trap-to-host}

    set tcp-fin-noack {allow | drop | trap-to-host}

    set tcp-fin-only {allow | drop | trap-to-host}

    set tcp-no-flag {allow | drop | trap-to-host}

    set tcp-syn-data {allow | drop | trap-to-host}

    set tcp-winnuke {allow | drop | trap-to-host}

    set tcp-land {allow | drop | trap-to-host}

    set udp-land {allow | drop | trap-to-host}

    set icmp-land {allow | drop | trap-to-host}

    set icmp-frag {allow | drop | trap-to-host}

    set ipv4-land {allow | drop | trap-to-host}

    set ipv4-proto-err {allow | drop | trap-to-host}

    set ipv4-unknopt {allow | drop | trap-to-host}

    set ipv4-optrr {allow | drop | trap-to-host}

    set ipv4-optssrr {allow | drop | trap-to-host}

    set ipv4-optlsrr {allow | drop | trap-to-host}

    set ipv4-optstream {allow | drop | trap-to-host}

    set ipv4-optsecurity {allow | drop | trap-to-host}

    set ipv4-opttimestamp {allow | drop | trap-to-host}

    set ipv4-csum-err {drop | trap-to-host}

    set tcp-csum-err {drop | trap-to-host}

    set udp-csum-err {drop | trap-to-host}

    set icmp-csum-err {drop | trap-to-host}

    set ipv6-land {allow | drop | trap-to-host}

    set ipv6-proto-err {allow | drop | trap-to-host}

    set ipv6-unknopt {allow | drop | trap-to-host}

    set ipv6-saddr-err {allow | drop | trap-to-host}

    set ipv6-daddr-err {allow | drop | trap-to-host}

    set ipv6-optralert {allow | drop | trap-to-host}

    set ipv6-optjumbo {allow | drop | trap-to-host}

    set ipv6-opttunnel {allow | drop | trap-to-host}

    set ipv6-opthomeaddr {allow | drop | trap-to-host}

    set ipv6-optnsap {allow | drop | trap-to-host}

    set ipv6-optendpid {allow | drop | trap-to-host}

    set ipv6-optinvld {allow | drop | trap-to-host}

    end

    Command syntax
    Command Description Default
    low-latency-mode {disable | enable} Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode, currently only np6_0 and np6_1 on the FortiGate 3700D and DX. disable
    per-session-accounting {all-enable | disable | enable-by-log} Disable NP6 per-session accounting or enable it and control how it works. If set to enable-by-log (the default) NP6 per-session accounting is only enabled if firewall policies accepting offloaded traffic have traffic logging enabled. If set to all-enable, NP6 per-session accounting is always enabled for all traffic offloaded by the NP6 processor.

    Enabling per-session accounting can affect performance.    		 enable-by-log
    garbage-session-collector {disable | enable} Enable deleting expired or garbage sessions. disable
    session-collector-interval <range> Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. 64
    session-timeout-interval <range> Set the timeout for checking for and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 40
    session-timeout-random-range <range> Set the random timeout for checking and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 8
    session-timeout-fixed {disable | enable} Enable to force checking for and removing inactive NP6 sessions at the session-timeout-interval time interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. disable

    config hpe
    hpe

    The NP6 host protection engine (HPE) uses NP6 processors to protect the FortiGate CPU from excessive amounts of ingress traffic, which typically occurs during DDoS attacks or network problems (for example an ARP flood due to a network loop). You can use the HPE to prevent ingress traffic received on data interfaces connected to NP6 processors from overloading the FortiGate CPU.

    You configure the HPE by enabling it and setting traffic thresholds. The HPE then acts like a traffic shaper, dropping packets that exceed the configured traffic thresholds.

    The HPE does not affect offloaded traffic, just CPU traffic. The HPE is not as granular as DoS policies and should be used as a first level of protection.

    DoS policies can be used as a second level of protection. For information about DoS policies, see DoS protection. DoS policy sessions are not offloaded by NP6 processors.
    enable-shaper {disable | enable} Enable or disable HPE DDoS protection. disable
    tcpsyn-max Limit the maximum number of TCP SYN packets received per second. The range is 10,000 to 4,000,000,000 pps. 5000000
    tcp-max Limit the maximum number of TCP packets received per second. The range is 10,000 to 4,000,000,000 pps. 5000000
    udp-max Limit the maximum number of UDP packets received per second. The range is 10,000 to 4,000,000,000 pps. 5000000
    icmp-max Limit the maximum number of ICMP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    sctp-max Limit the maximum number of SCTP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    esp-max Limit the maximum number of ESP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    ip-frag-max Limit the maximum number of fragmented IP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    ip-others-max Limit the maximum number of other types of IP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    arp-max Limit the maximum number of ARP packets received. The range is 10,000 to 4,000,000,000 pps. 1000000
    l2-others-max Limit the maximum number of other layer-2 packets received. The range is 10,000 to 4,000,000,000 pps. This option limits the following types of packets: HA heartbeat and session sync, LACP/802.3ad, FortiSwitch heartbeat, and wireless-controller CAPWAP. 1000000

    pri-type-max

    Set the maximum overflow limit for high priority traffic. The range is 0 to 1,000,000,000 pps.

    This overflow is applied to the following types of traffic that are treated as high-priority by the NP6 processor:

    • HA heartbeat
    • LACP/802.3ad
    • OSPF
    • BGP
    • IKE
    • SLBC
    • BFD

    This option adds an overflow for high priority traffic, causing the HPE to allow more of these high priority packets to be accepted by the NP6 processor. The overflow is added to the maximum number of packets allowed by HPE based on the other HPE settings. For example, the NP6 processor treats IKE traffic as high priority; so the HPE limits IKE traffic to udp-max + pri-type-max pps, which works out to 5000000 + 1000000 = 6000000 pps.

    In some cases, you may not want the overflow to apply to BGP, SLBC or BFD traffic. See The HPE and changing BGP, SLBC, and BFD priority for details.

    1000000
    config fp-anomaly
    fp-anomaly Configure how the NP6 processor performs traffic anomaly protection. In most cases you can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection but don't want to use the NP6 processor, you can select trap-to-host and enable anomaly protection with a DoS policy.
    tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
    tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
    tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
    tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
    tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
    tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
    tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
    udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
    icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
    icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
    ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
    ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies.

    For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

    		 trap-to-host
    ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
    ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
    ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
    ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
    ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
    ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
    ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
    tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
    udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
    icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
    ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
    ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
    ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
    ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
    ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
    ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
    ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
    ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
    ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
    ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host
    Previous
    Next