system np6
Configure a wide range of settings for your FortiGate's NP6 processors including enabling/disabling fastpath and low latency, enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic. You can also configure different settings for each NP6 processor. The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
Command | Description |
---|---|
set fastpath {enable | disable} |
Removed and added to |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set ipsec-outbound-hash {disable | enable} set ipsec-ob-hash-function {switch-group-hash | global- hash | global-hash-weighted | round-robin-switch-group | round-robin-global} |
New options to optimize IPsec VPN performance on FortiGate-3960E and 3980E platforms. |
config system np6 edit {name} # Configure NP6 attributes. set name {string} Device Name. size[31] set fastpath {disable | enable} Enable/disable NP4 or NP6 offloading (also called fast path). set low-latency-mode {disable | enable} Enable/disable low latency mode. set per-session-accounting {disable | traffic-log-only | enable} Enable/disable per-session accounting. set garbage-session-collector {disable | enable} Enable/disable garbage session collector. set session-collector-interval {integer} Set garbage session collection cleanup interval (1 - 100 sec, default 64). range[1-100] set session-timeout-interval {integer} Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec). range[0-1000] set session-timeout-random-range {integer} Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec). range[0-1000] set session-timeout-fixed {disable | enable} {disable | enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions. set ipsec-outbound-hash {disable | enable} Enable/disable hash function for IPsec outbound traffic. set ipsec-ob-hash-function {option} Set hash function for IPSec outbound. switch-group-hash Hash outbound SA traffic within NPs connected to same switch. global-hash Hash outbound SA traffic among all NPs. global-hash-weighted Hash outbound SA traffic among all NPs with more weights on NPs connected to switch 0. It's applicable to the case that ingress traffic is from switch 1. round-robin-switch-group Round-robin outbound SA traffic within NPs connected to same switch. round-robin-global Round-robin outbound SA traffic among all NPs. config hpe set tcpsyn-max {integer} Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000] set tcp-max {integer} Maximum TCP packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000] set udp-max {integer} Maximum UDP packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000] set icmp-max {integer} Maximum ICMP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000] set sctp-max {integer} Maximum SCTP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000] set esp-max {integer} Maximum ESP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000] set ip-frag-max {integer} Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000] set ip-others-max {integer} Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps). range[10000-4000000000] set arp-max {integer} Maximum ARP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000] set l2-others-max {integer} Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps). range[10000-4000000000] set pri-type-max {integer} Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. range[10000-4000000000] set enable-shaper {disable | enable} Enable/Disable NPU host protection engine (HPE) shaper. config fp-anomaly set tcp-syn-fin {allow | drop | trap-to-host} TCP SYN flood SYN/FIN flag set anomalies. allow Allow TCP packets with syn_fin flag set to pass. drop Drop TCP packets with syn_fin flag set. trap-to-host Forward TCP packets with syn_fin flag set to FortiOS. set tcp-fin-noack {allow | drop | trap-to-host} TCP SYN flood with FIN flag set without ACK setting anomalies. allow Allow TCP packets with FIN flag set without ack setting to pass. drop Drop TCP packets with FIN flag set without ack setting. trap-to-host Forward TCP packets with FIN flag set without ack setting to FortiOS. set tcp-fin-only {allow | drop | trap-to-host} TCP SYN flood with only FIN flag set anomalies. allow Allow TCP packets with FIN flag set only to pass. drop Drop TCP packets with FIN flag set only. trap-to-host Forward TCP packets with FIN flag set only to FortiOS. set tcp-no-flag {allow | drop | trap-to-host} TCP SYN flood with no flag set anomalies. allow Allow TCP packets without flag set to pass. drop Drop TCP packets without flag set. trap-to-host Forward TCP packets without flag set to FortiOS. set tcp-syn-data {allow | drop | trap-to-host} TCP SYN flood packets with data anomalies. allow Allow TCP syn packets with data to pass. drop Drop TCP syn packets with data. trap-to-host Forward TCP syn packets with data to FortiOS. set tcp-winnuke {allow | drop | trap-to-host} TCP WinNuke anomalies. allow Allow TCP packets winnuke attack to pass. drop Drop TCP packets winnuke attack. trap-to-host Forward TCP packets winnuke attack to FortiOS. set tcp-land {allow | drop | trap-to-host} TCP land anomalies. allow Allow TCP land attack to pass. drop Drop TCP land attack. trap-to-host Forward TCP land attack to FortiOS. set udp-land {allow | drop | trap-to-host} UDP land anomalies. allow Allow UDP land attack to pass. drop Drop UDP land attack. trap-to-host Forward UDP land attack to FortiOS. set icmp-land {allow | drop | trap-to-host} ICMP land anomalies. allow Allow ICMP land attack to pass. drop Drop ICMP land attack. trap-to-host Forward ICMP land attack to FortiOS. set icmp-frag {allow | drop | trap-to-host} Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies. allow Allow L3 fragment packet with L4 protocol as ICMP attack to pass. drop Drop L3 fragment packet with L4 protocol as ICMP attack. trap-to-host Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS. set ipv4-land {allow | drop | trap-to-host} Land anomalies. allow Allow IPv4 land attack to pass. drop Drop IPv4 land attack. trap-to-host Forward IPv4 land attack to FortiOS. set ipv4-proto-err {allow | drop | trap-to-host} Invalid layer 4 protocol anomalies. allow Allow IPv4 invalid L4 protocol to pass. drop Drop IPv4 invalid L4 protocol. trap-to-host Forward IPv4 invalid L4 protocol to FortiOS. set ipv4-unknopt {allow | drop | trap-to-host} Unknown option anomalies. allow Allow IPv4 with unknown options to pass. drop Drop IPv4 with unknown options. trap-to-host Forward IPv4 with unknown options to FortiOS. set ipv4-optrr {allow | drop | trap-to-host} Record route option anomalies. allow Allow IPv4 with record route option to pass. drop Drop IPv4 with record route option. trap-to-host Forward IPv4 with record route option to FortiOS. set ipv4-optssrr {allow | drop | trap-to-host} Strict source record route option anomalies. allow Allow IPv4 with strict source record route option to pass. drop Drop IPv4 with strict source record route option. trap-to-host Forward IPv4 with strict source record route option to FortiOS. set ipv4-optlsrr {allow | drop | trap-to-host} Loose source record route option anomalies. allow Allow IPv4 with loose source record route option to pass. drop Drop IPv4 with loose source record route option. trap-to-host Forward IPv4 with loose source record route option to FortiOS. set ipv4-optstream {allow | drop | trap-to-host} Stream option anomalies. allow Allow IPv4 with stream option to pass. drop Drop IPv4 with stream option. trap-to-host Forward IPv4 with stream option to FortiOS. set ipv4-optsecurity {allow | drop | trap-to-host} Security option anomalies. allow Allow IPv4 with security option to pass. drop Drop IPv4 with security option. trap-to-host Forward IPv4 with security option to FortiOS. set ipv4-opttimestamp {allow | drop | trap-to-host} Timestamp option anomalies. allow Allow IPv4 with timestamp option to pass. drop Drop IPv4 with timestamp option. trap-to-host Forward IPv4 with timestamp option to FortiOS. set ipv4-csum-err {drop | trap-to-host} Invalid IPv4 IP checksum anomalies. drop Drop IPv4 invalid IP checksum. trap-to-host Forward IPv4 invalid IP checksum to main CPU for processing. set tcp-csum-err {drop | trap-to-host} Invalid IPv4 TCP checksum anomalies. drop Drop IPv4 invalid TCP checksum. trap-to-host Forward IPv4 invalid TCP checksum to main CPU for processing. set udp-csum-err {drop | trap-to-host} Invalid IPv4 UDP checksum anomalies. drop Drop IPv4 invalid UDP checksum. trap-to-host Forward IPv4 invalid UDP checksum to main CPU for processing. set icmp-csum-err {drop | trap-to-host} Invalid IPv4 ICMP checksum anomalies. drop Drop IPv4 invalid ICMP checksum. trap-to-host Forward IPv4 invalid ICMP checksum to main CPU for processing. set ipv6-land {allow | drop | trap-to-host} Land anomalies. allow Allow IPv6 land attack to pass. drop Drop IPv6 land attack. trap-to-host Forward IPv6 land attack to FortiOS. set ipv6-proto-err {allow | drop | trap-to-host} Layer 4 invalid protocol anomalies. allow Allow IPv6 L4 invalid protocol to pass. drop Drop IPv6 L4 invalid protocol. trap-to-host Forward IPv6 L4 invalid protocol to FortiOS. set ipv6-unknopt {allow | drop | trap-to-host} Unknown option anomalies. allow Allow IPv6 with unknown options to pass. drop Drop IPv6 with unknown options. trap-to-host Forward IPv6 with unknown options to FortiOS. set ipv6-saddr-err {allow | drop | trap-to-host} Source address as multicast anomalies. allow Allow IPv6 with source address as multicast to pass. drop Drop IPv6 with source address as multicast. trap-to-host Forward IPv6 with source address as multicast to FortiOS. set ipv6-daddr-err {allow | drop | trap-to-host} Destination address as unspecified or loopback address anomalies. allow Allow IPv6 with destination address as unspecified or loopback address to pass. drop Drop IPv6 with destination address as unspecified or loopback address. trap-to-host Forward IPv6 with destination address as unspecified or loopback address to FortiOS. set ipv6-optralert {allow | drop | trap-to-host} Router alert option anomalies. allow Allow IPv6 with router alert option to pass. drop Drop IPv6 with router alert option. trap-to-host Forward IPv6 with router alert option to FortiOS. set ipv6-optjumbo {allow | drop | trap-to-host} Jumbo options anomalies. allow Allow IPv6 with jumbo option to pass. drop Drop IPv6 with jumbo option. trap-to-host Forward IPv6 with jumbo option to FortiOS. set ipv6-opttunnel {allow | drop | trap-to-host} Tunnel encapsulation limit option anomalies. allow Allow IPv6 with tunnel encapsulation limit to pass. drop Drop IPv6 with tunnel encapsulation limit. trap-to-host Forward IPv6 with tunnel encapsulation limit to FortiOS. set ipv6-opthomeaddr {allow | drop | trap-to-host} Home address option anomalies. allow Allow IPv6 with home address option to pass. drop Drop IPv6 with home address option. trap-to-host Forward IPv6 with home address option to FortiOS. set ipv6-optnsap {allow | drop | trap-to-host} Network service access point address option anomalies. allow Allow IPv6 with network service access point address option to pass. drop Drop IPv6 with network service access point address option. trap-to-host Forward IPv6 with network service access point address option to FortiOS. set ipv6-optendpid {allow | drop | trap-to-host} End point identification anomalies. allow Allow IPv6 with end point identification option to pass. drop Drop IPv6 with end point identification option. trap-to-host Forward IPv6 with end point identification option to FortiOS. set ipv6-optinvld {allow | drop | trap-to-host} Invalid option anomalies.Invalid option anomalies. allow Allow IPv6 with invalid option to pass. drop Drop IPv6 with invalid option. trap-to-host Forward IPv6 with invalid option to FortiOS. next end
Additional information
The following section is for those options that require additional explanation.
name {np6_0 | np6_1 |...}
Change the settings for one of the FortiGate unit's NP6 processors.
per-session-accounting {all-enable | disable | enable-by-log}
Per-session accounting is a logging feature that allows the FortiGate to report the correct bytes/pkt numbers per session for sessions offloaded to an NP6 processor. This information appears in traffic log messages as well as in FortiView. When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions. You can hover over the NP icon to see some information about the offloaded sessions.
By default, per-session accounting is set to enable-by-log
, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or select all-enable
to enable per-session accounting for all sessions whether or traffic logging is enabled or not.
Per-session accounting can affect NP6 offloading performance. So you should only enable per-session accounting if you need the accounting information. Enabling per-session accounting only supports traffic log messages and does not provide traffic flow data for sFlow or NetFlow.
garbage-session-collector {disable | enable}
Enable deleting expired or garbage sessions. Disabled by default.
session-collector-interval <interval>
Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. The default is 64 seconds.
session-timeout-interval <interval>
Set the timeout for inactive sessions. The range is 0 to 1000 seconds. The default is 40 seconds.
session-timeout-random-range <range>
Set the random timeout for inactive sessions. The range is 0 to 1000 seconds. The default is 8 seconds.
session-timeout-fixed {disable | enable}
Enable to force checking for and removing inactive NP6 sessions at thesession-timeout-interval
time interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. Disabled by default.
config fp-anomaly-v4
Configure how the NP6 processor does IPv4 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host
). Selecting trap-to-host
turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy but the anomaly protection is done by the CPU instead of the NP6.
tcp-syn-fin {allow | drop | trap-to-host}
Detect TCP SYN flood SYN/FIN flag set anomalies. Default is allow
.
tcp-fin-noack {allow | drop | trap-to-host}
Detect TCP SYN flood with FIN flag set without ACK setting anomalies. Default is trap-to-host
.
tcp-fin-only {allow | drop | trap-to-host}
Detect TCP SYN flood with only FIN flag set anomalies. Default is trap-to-host
.
tcp-no-flag {allow | drop | trap-to-host}
Detect TCP SYN flood with no flag set anomalies. Default is allow
.
tcp-syn-data {allow | drop | trap-to-host}
Detect TCP SYN flood packets with data anomalies. Default is allow
.
tcp-winnuke {allow | drop | trap-to-host}
Detect TCP WinNuke anomalies. Default is trap-to-host
.
tcp-land {allow | drop | trap-to-host}
Detect TCP land anomalies. Default is trap-to-host
.
udp-land {allow | drop | trap-to-host}
Detect UDP land anomalies. Default is trap-to-host
.
icmp-land {allow | drop | trap-to-host}
Detect ICMP land anomalies. Default is trap-to-host
.
icmp-frag {allow | drop | trap-to-host}
Detect Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies. Default is allow
.
ipv4-land {allow | drop | trap-to-host}
Detect IPv4 land anomalies. Default is trap-to-host
.
ipv4-proto-err {allow | drop | trap-to-host}
Detect IPv4 invalid layer 4 protocol anomalies. Default is trap-to-host
. For information about the error codes that are produced by setting this option to drop
, see NP6 anomaly error codes.
ipv4-unknopt {allow | drop | trap-to-host}
Detect IPv4 unknown option anomalies. Default is trap-to-host
.
ipv4-optrr {allow | drop | trap-to-host}
Detect IPv4 record route option anomalies. Default is trap-to-host
.
ipv4-optssrr {allow | drop | trap-to-host}
Detect IPv4 strict source record route option anomalies. Default is trap-to-host
.
ipv4-optlsrr {allow | drop | trap-to-host}
Detect IPv4 loose source record route option anomalies. Default is trap-to-host
.
ipv4-optstream {allow | drop | trap-to-host}
Detect IPv4 stream option anomalies.. Default is trap-to-host
.
ipv4-optsecurity {allow | drop | trap-to-host}
Detect IPv4 security option anomalies. Default is trap-to-host
.
ipv4-opttimestamp {allow | drop | trap-to-host}
Detect IPv4 timestamp option anomalies. Default is trap-to-host
.
config fp-anomaly-v6
Configure how the NP6 processor does IPv6 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called “trapto- host”). Selecting “trap-to-host” turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy.
ipv6-land {allow | drop | trap-to-host}
Detect IPv6 land anomalies. Default is trap-to-host
.
ipv6-proto-err {allow | drop | trap-to-host}
Detect layer 4 invalid protocol anomalies. Default is trap-to-host
.
ipv6-unknopt {allow | drop | trap-to-host}
Detect IPv6 unknown option anomalies. Default is trap-to-host
.
ipv6-saddr-err {allow | drop | trap-to-host}
Detect source address as multicast anomalies. Default is trap-to-host
.
ipv6-daddr-err {allow | drop | trap-to-host}
Detect IPv6 destination address as unspecified or loopback address anomalies. Default is trap-to-host
.
ipv6-optralert {allow | drop | trap-to-host}
Detect IPv6 router alert option anomalies. Default is trap-to-host
.
ipv6-optjumbo {allow | drop | trap-to-host}
Detect IPv6 jumbo options anomalies. Default is trap-to-host
.
ipv6-opttunnel {allow | drop | trap-to-host}
Detect IPv6 tunnel encapsulation limit option anomalies. Default is trap-to-host
.
ipv6-opthomeaddr {allow | drop | trap-to-host}
Detect IPv6 home address option anomalies. Default is trap-to-host
.
ipv6-optnsap {allow | drop | trap-to-host}
Detect IPv6 network service access point address option anomalies. Default is trap-to-host
.
ipv6-optendpid {allow | drop | trap-to-host}
Detect IPv6 end point identification anomalies. Default is trap-to-host
.
ipv6-optinvld {allow | drop | trap-to-host}
Detect IPv6 invalid option anomalies. Default is trap-to-host
.
Optimizing FortiGate-3960E and 3980E IPsec VPN performance
You can use the following command to configure outbound hashing to improve IPsec performance for the FortiGate-3960E and 3980E. If you change these settings, to make sure they take affect, you should reboot your device.
config system np6
edit np6_0
set ipsec-outbound-hash {disable | enable}
set ipsec-ob-hash-function {switch-group-hash | global- hash | global-hash-weighted | round-robin-switch-group | round-robin-global}
end
Where:
ipsec-outbound-hash
is disabled by default. If you enable it you can set ipsec-ob-hash-function
as follows:
switch-group-hash
(the default) distribute outbound IPsec Security Association (SA) traffic to NP6 processors connected to the same switch as the interfaces that received the incoming traffic. This option, keeps all traffic on one switch and the NP6 processors connected to that switch, to improve performance.
global-hash
distribute outbound IPsec SA traffic among all NP6 processors.
global-hash-weighted
distribute outbound IPsec SA traffic from switch 1 among all NP6 processors with more sessions going to the NP6s connected to switch 0. This options is only recommended for the FortiGate-3980E because it is designed to weigh switch 0 higher to send more sessions to switch 0 which on the FortiGate-3980E has more NP6 processors connected to it. On the FortiGate-3960E both switches have the same number of NP6s so for best performance one switch shouldn't have a higher weight.
round-robin-switch-group
round-robin distribution of outbound IPsec SA traffic among the NP6 processors connected to the same switch.
round-robin-global
round-robin distribution of outbound IPsec SA traffic among all NP6 processors.
Improving LAG performance on some FortiGate models
Some FortiGate models support the following command that might improve link aggregation (LAG) performance by reducing the number of dropped packets that can occur with some LAG configurations.
config system np6
edit np6_0
set lag-npu {disable | enable}
end
If you notice NP6- accelerated LAG interface performance is lower than expected or if you notice excessive dropped packets for sessions over LAG interfaces, you could see if your FortiGate has this option and if available try enabling it and see if performance improves.
You should enable lag-npu
for every NP6 processor that is connected to a LAG interface.