Fortinet black logo

CLI Reference

system np6

system np6

Configure a wide range of settings for your FortiGate's NP6 processors including enabling/disabling fastpath and low latency, enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic. You can also configure different settings for each NP6 processor. The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set fastpath {enable | disable}

Removed and added to config system npu. Enable or disable NP4 or NP6 offloading (also called fast path).

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ipsec-outbound-hash {disable | enable}

set ipsec-ob-hash-function {switch-group-hash | global- hash | global-hash-weighted | round-robin-switch-group | round-robin-global}

New options to optimize IPsec VPN performance on FortiGate-3960E and 3980E platforms.

config system np6
    edit {name}
    # Configure NP6 attributes.
        set name {string}   Device Name. size[31]
        set fastpath {disable | enable}   Enable/disable NP4 or NP6 offloading (also called fast path).
        set low-latency-mode {disable | enable}   Enable/disable low latency mode.
        set per-session-accounting {disable | traffic-log-only | enable}   Enable/disable per-session accounting.
        set garbage-session-collector {disable | enable}   Enable/disable garbage session collector.
        set session-collector-interval {integer}   Set garbage session collection cleanup interval (1 - 100 sec, default 64). range[1-100]
        set session-timeout-interval {integer}   Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec). range[0-1000]
        set session-timeout-random-range {integer}   Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec). range[0-1000]
        set session-timeout-fixed {disable | enable}   {disable | enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.
        set ipsec-outbound-hash {disable | enable}   Enable/disable hash function for IPsec outbound traffic.
        set ipsec-ob-hash-function {option}   Set hash function for IPSec outbound.
                switch-group-hash         Hash outbound SA traffic within NPs connected to same switch.
                global-hash               Hash outbound SA traffic among all NPs.
                global-hash-weighted      Hash outbound SA traffic among all NPs with more weights on NPs connected to switch 0. It's applicable to the case that ingress traffic is from switch 1.
                round-robin-switch-group  Round-robin outbound SA traffic within NPs connected to same switch.
                round-robin-global        Round-robin outbound SA traffic among all NPs.
        config hpe
            set tcpsyn-max {integer}   Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000]
            set tcp-max {integer}   Maximum TCP packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000]
            set udp-max {integer}   Maximum UDP packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000]
            set icmp-max {integer}   Maximum ICMP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set sctp-max {integer}   Maximum SCTP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set esp-max {integer}   Maximum ESP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set ip-frag-max {integer}   Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set ip-others-max {integer}   Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps). range[10000-4000000000]
            set arp-max {integer}   Maximum ARP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set l2-others-max {integer}   Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set pri-type-max {integer}   Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. range[10000-4000000000]
            set enable-shaper {disable | enable}   Enable/Disable NPU host protection engine (HPE) shaper.
        config fp-anomaly
            set tcp-syn-fin {allow | drop | trap-to-host}   TCP SYN flood SYN/FIN flag set anomalies. 
                    allow         Allow TCP packets with syn_fin flag set to pass.
                    drop          Drop TCP packets with syn_fin flag set.
                    trap-to-host  Forward TCP packets with syn_fin flag set to FortiOS.
            set tcp-fin-noack {allow | drop | trap-to-host}   TCP SYN flood with FIN flag set without ACK setting anomalies.
                    allow         Allow TCP packets with FIN flag set without ack setting to pass.
                    drop          Drop TCP packets with FIN flag set without ack setting.
                    trap-to-host  Forward TCP packets with FIN flag set without ack setting to FortiOS.
            set tcp-fin-only {allow | drop | trap-to-host}   TCP SYN flood with only FIN flag set anomalies.
                    allow         Allow TCP packets with FIN flag set only to pass.
                    drop          Drop TCP packets with FIN flag set only.
                    trap-to-host  Forward TCP packets with FIN flag set only to FortiOS.
            set tcp-no-flag {allow | drop | trap-to-host}   TCP SYN flood with no flag set anomalies.
                    allow         Allow TCP packets without flag set to pass.
                    drop          Drop TCP packets without flag set.
                    trap-to-host  Forward TCP packets without flag set to FortiOS.
            set tcp-syn-data {allow | drop | trap-to-host}   TCP SYN flood packets with data anomalies.
                    allow         Allow TCP syn packets with data to pass.
                    drop          Drop TCP syn packets with data.
                    trap-to-host  Forward TCP syn packets with data to FortiOS.
            set tcp-winnuke {allow | drop | trap-to-host}   TCP WinNuke anomalies.
                    allow         Allow TCP packets winnuke attack to pass.
                    drop          Drop TCP packets winnuke attack.
                    trap-to-host  Forward TCP packets winnuke attack to FortiOS.
            set tcp-land {allow | drop | trap-to-host}   TCP land anomalies.
                    allow         Allow TCP land attack to pass.
                    drop          Drop TCP land attack.
                    trap-to-host  Forward TCP land attack to FortiOS.
            set udp-land {allow | drop | trap-to-host}   UDP land anomalies.
                    allow         Allow UDP land attack to pass.
                    drop          Drop UDP land attack.
                    trap-to-host  Forward UDP land attack to FortiOS.
            set icmp-land {allow | drop | trap-to-host}   ICMP land anomalies.
                    allow         Allow ICMP land attack to pass.
                    drop          Drop ICMP land attack.
                    trap-to-host  Forward ICMP land attack to FortiOS.
            set icmp-frag {allow | drop | trap-to-host}   Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.
                    allow         Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
                    drop          Drop L3 fragment packet with L4 protocol as ICMP attack.
                    trap-to-host  Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
            set ipv4-land {allow | drop | trap-to-host}   Land anomalies.
                    allow         Allow IPv4 land attack to pass.
                    drop          Drop IPv4 land attack.
                    trap-to-host  Forward IPv4 land attack to FortiOS.
            set ipv4-proto-err {allow | drop | trap-to-host}   Invalid layer 4 protocol anomalies.
                    allow         Allow IPv4 invalid L4 protocol to pass.
                    drop          Drop IPv4 invalid L4 protocol.
                    trap-to-host  Forward IPv4 invalid L4 protocol to FortiOS.
            set ipv4-unknopt {allow | drop | trap-to-host}   Unknown option anomalies.
                    allow         Allow IPv4 with unknown options to pass.
                    drop          Drop IPv4 with unknown options.
                    trap-to-host  Forward IPv4 with unknown options to FortiOS.
            set ipv4-optrr {allow | drop | trap-to-host}   Record route option anomalies.
                    allow         Allow IPv4 with record route option to pass.
                    drop          Drop IPv4 with record route option.
                    trap-to-host  Forward IPv4 with record route option to FortiOS.
            set ipv4-optssrr {allow | drop | trap-to-host}   Strict source record route option anomalies.
                    allow         Allow IPv4 with strict source record route option to pass.
                    drop          Drop IPv4 with strict source record route option.
                    trap-to-host  Forward IPv4 with strict source record route option to FortiOS.
            set ipv4-optlsrr {allow | drop | trap-to-host}   Loose source record route option anomalies.
                    allow         Allow IPv4 with loose source record route option to pass.
                    drop          Drop IPv4 with loose source record route option.
                    trap-to-host  Forward IPv4 with loose source record route option to FortiOS.
            set ipv4-optstream {allow | drop | trap-to-host}   Stream option anomalies.
                    allow         Allow IPv4 with stream option to pass.
                    drop          Drop IPv4 with stream option.
                    trap-to-host  Forward IPv4 with stream option to FortiOS.
            set ipv4-optsecurity {allow | drop | trap-to-host}   Security option anomalies.
                    allow         Allow IPv4 with security option to pass.
                    drop          Drop IPv4 with security option.
                    trap-to-host  Forward IPv4 with security option to FortiOS.
            set ipv4-opttimestamp {allow | drop | trap-to-host}   Timestamp option anomalies.
                    allow         Allow IPv4 with timestamp option to pass.
                    drop          Drop IPv4 with timestamp option.
                    trap-to-host  Forward IPv4 with timestamp option to FortiOS.
            set ipv4-csum-err {drop | trap-to-host}   Invalid IPv4 IP checksum anomalies.
                    drop          Drop IPv4 invalid IP checksum.
                    trap-to-host  Forward IPv4 invalid IP checksum to main CPU for processing.
            set tcp-csum-err {drop | trap-to-host}   Invalid IPv4 TCP checksum anomalies.
                    drop          Drop IPv4 invalid TCP checksum.
                    trap-to-host  Forward IPv4 invalid TCP checksum to main CPU for processing.
            set udp-csum-err {drop | trap-to-host}   Invalid IPv4 UDP checksum anomalies.
                    drop          Drop IPv4 invalid UDP checksum.
                    trap-to-host  Forward IPv4 invalid UDP checksum to main CPU for processing.
            set icmp-csum-err {drop | trap-to-host}   Invalid IPv4 ICMP checksum anomalies.
                    drop          Drop IPv4 invalid ICMP checksum.
                    trap-to-host  Forward IPv4 invalid ICMP checksum to main CPU for processing.
            set ipv6-land {allow | drop | trap-to-host}   Land anomalies.
                    allow         Allow IPv6 land attack to pass.
                    drop          Drop IPv6 land attack.
                    trap-to-host  Forward IPv6 land attack to FortiOS.
            set ipv6-proto-err {allow | drop | trap-to-host}   Layer 4 invalid protocol anomalies.
                    allow         Allow IPv6 L4 invalid protocol to pass.
                    drop          Drop IPv6 L4 invalid protocol.
                    trap-to-host  Forward IPv6 L4 invalid protocol to FortiOS.
            set ipv6-unknopt {allow | drop | trap-to-host}   Unknown option anomalies.
                    allow         Allow IPv6 with unknown options to pass.
                    drop          Drop IPv6 with unknown options.
                    trap-to-host  Forward IPv6 with unknown options to FortiOS.
            set ipv6-saddr-err {allow | drop | trap-to-host}   Source address as multicast anomalies.
                    allow         Allow IPv6 with source address as multicast to pass.
                    drop          Drop IPv6 with source address as multicast.
                    trap-to-host  Forward IPv6 with source address as multicast to FortiOS.
            set ipv6-daddr-err {allow | drop | trap-to-host}   Destination address as unspecified or loopback address anomalies.
                    allow         Allow IPv6 with destination address as unspecified or loopback address to pass.
                    drop          Drop IPv6 with destination address as unspecified or loopback address.
                    trap-to-host  Forward IPv6 with destination address as unspecified or loopback address to FortiOS.
            set ipv6-optralert {allow | drop | trap-to-host}   Router alert option anomalies.
                    allow         Allow IPv6 with router alert option to pass.
                    drop          Drop IPv6 with router alert option.
                    trap-to-host  Forward IPv6 with router alert option to FortiOS.
            set ipv6-optjumbo {allow | drop | trap-to-host}   Jumbo options anomalies.
                    allow         Allow IPv6 with jumbo option to pass.
                    drop          Drop IPv6 with jumbo option.
                    trap-to-host  Forward IPv6 with jumbo option to FortiOS.
            set ipv6-opttunnel {allow | drop | trap-to-host}   Tunnel encapsulation limit option anomalies.
                    allow         Allow IPv6 with tunnel encapsulation limit to pass.
                    drop          Drop IPv6 with tunnel encapsulation limit.
                    trap-to-host  Forward IPv6 with tunnel encapsulation limit to FortiOS.
            set ipv6-opthomeaddr {allow | drop | trap-to-host}   Home address option anomalies.
                    allow         Allow IPv6 with home address option to pass.
                    drop          Drop IPv6 with home address option.
                    trap-to-host  Forward IPv6 with home address option to FortiOS.
            set ipv6-optnsap {allow | drop | trap-to-host}   Network service access point address option anomalies.
                    allow         Allow IPv6 with network service access point address option to pass.
                    drop          Drop IPv6 with network service access point address option.
                    trap-to-host  Forward IPv6 with network service access point address option to FortiOS.
            set ipv6-optendpid {allow | drop | trap-to-host}   End point identification anomalies.
                    allow         Allow IPv6 with end point identification option to pass.
                    drop          Drop IPv6 with end point identification option.
                    trap-to-host  Forward IPv6 with end point identification option to FortiOS.
            set ipv6-optinvld {allow | drop | trap-to-host}   Invalid option anomalies.Invalid option anomalies.
                    allow         Allow IPv6 with invalid option to pass.
                    drop          Drop IPv6 with invalid option.
                    trap-to-host  Forward IPv6 with invalid option to FortiOS.
    next
end

Additional information

The following section is for those options that require additional explanation.

name {np6_0 | np6_1 |...}

Change the settings for one of the FortiGate unit's NP6 processors.

per-session-accounting {all-enable | disable | enable-by-log}

Per-session accounting is a logging feature that allows the FortiGate to report the correct bytes/pkt numbers per session for sessions offloaded to an NP6 processor. This information appears in traffic log messages as well as in FortiView. When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions. You can hover over the NP icon to see some information about the offloaded sessions. By default, per-session accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or select all-enable to enable per-session accounting for all sessions whether or traffic logging is enabled or not. Per-session accounting can affect NP6 offloading performance. So you should only enable per-session accounting if you need the accounting information. Enabling per-session accounting only supports traffic log messages and does not provide traffic flow data for sFlow or NetFlow.

garbage-session-collector {disable | enable}

Enable deleting expired or garbage sessions. Disabled by default.

session-collector-interval <interval>

Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. The default is 64 seconds.

session-timeout-interval <interval>

Set the timeout for inactive sessions. The range is 0 to 1000 seconds. The default is 40 seconds.

session-timeout-random-range <range>

Set the random timeout for inactive sessions. The range is 0 to 1000 seconds. The default is 8 seconds.

session-timeout-fixed {disable | enable}

Enable to force checking for and removing inactive NP6 sessions at thesession-timeout-intervaltime interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. Disabled by default.

config fp-anomaly-v4

Configure how the NP6 processor does IPv4 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy but the anomaly protection is done by the CPU instead of the NP6.

tcp-syn-fin {allow | drop | trap-to-host}

Detect TCP SYN flood SYN/FIN flag set anomalies. Default is allow.

tcp-fin-noack {allow | drop | trap-to-host}

Detect TCP SYN flood with FIN flag set without ACK setting anomalies. Default is trap-to-host.

tcp-fin-only {allow | drop | trap-to-host}

Detect TCP SYN flood with only FIN flag set anomalies. Default is trap-to-host.

tcp-no-flag {allow | drop | trap-to-host}

Detect TCP SYN flood with no flag set anomalies. Default is allow.

tcp-syn-data {allow | drop | trap-to-host}

Detect TCP SYN flood packets with data anomalies. Default is allow.

tcp-winnuke {allow | drop | trap-to-host}

Detect TCP WinNuke anomalies. Default is trap-to-host.

tcp-land {allow | drop | trap-to-host}

Detect TCP land anomalies. Default is trap-to-host.

udp-land {allow | drop | trap-to-host}

Detect UDP land anomalies. Default is trap-to-host.

icmp-land {allow | drop | trap-to-host}

Detect ICMP land anomalies. Default is trap-to-host.

icmp-frag {allow | drop | trap-to-host}

Detect Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies. Default is allow.

ipv4-land {allow | drop | trap-to-host}

Detect IPv4 land anomalies. Default is trap-to-host.

ipv4-proto-err {allow | drop | trap-to-host}

Detect IPv4 invalid layer 4 protocol anomalies. Default is trap-to-host. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

ipv4-unknopt {allow | drop | trap-to-host}

Detect IPv4 unknown option anomalies. Default is trap-to-host.

ipv4-optrr {allow | drop | trap-to-host}

Detect IPv4 record route option anomalies. Default is trap-to-host.

ipv4-optssrr {allow | drop | trap-to-host}

Detect IPv4 strict source record route option anomalies. Default is trap-to-host.

ipv4-optlsrr {allow | drop | trap-to-host}

Detect IPv4 loose source record route option anomalies. Default is trap-to-host.

ipv4-optstream {allow | drop | trap-to-host}

Detect IPv4 stream option anomalies.. Default is trap-to-host.

ipv4-optsecurity {allow | drop | trap-to-host}

Detect IPv4 security option anomalies. Default is trap-to-host.

ipv4-opttimestamp {allow | drop | trap-to-host}

Detect IPv4 timestamp option anomalies. Default is trap-to-host.

config fp-anomaly-v6

Configure how the NP6 processor does IPv6 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called “trapto- host”). Selecting “trap-to-host” turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy.

ipv6-land {allow | drop | trap-to-host}

Detect IPv6 land anomalies. Default is trap-to-host.

ipv6-proto-err {allow | drop | trap-to-host}

Detect layer 4 invalid protocol anomalies. Default is trap-to-host.

ipv6-unknopt {allow | drop | trap-to-host}

Detect IPv6 unknown option anomalies. Default is trap-to-host.

ipv6-saddr-err {allow | drop | trap-to-host}

Detect source address as multicast anomalies. Default is trap-to-host.

ipv6-daddr-err {allow | drop | trap-to-host}

Detect IPv6 destination address as unspecified or loopback address anomalies. Default is trap-to-host.

ipv6-optralert {allow | drop | trap-to-host}

Detect IPv6 router alert option anomalies. Default is trap-to-host.

ipv6-optjumbo {allow | drop | trap-to-host}

Detect IPv6 jumbo options anomalies. Default is trap-to-host.

ipv6-opttunnel {allow | drop | trap-to-host}

Detect IPv6 tunnel encapsulation limit option anomalies. Default is trap-to-host.

ipv6-opthomeaddr {allow | drop | trap-to-host}

Detect IPv6 home address option anomalies. Default is trap-to-host.

ipv6-optnsap {allow | drop | trap-to-host}

Detect IPv6 network service access point address option anomalies. Default is trap-to-host.

ipv6-optendpid {allow | drop | trap-to-host}

Detect IPv6 end point identification anomalies. Default is trap-to-host.

ipv6-optinvld {allow | drop | trap-to-host}

Detect IPv6 invalid option anomalies. Default is trap-to-host.

Optimizing FortiGate-3960E and 3980E IPsec VPN performance

You can use the following command to configure outbound hashing to improve IPsec performance for the FortiGate-3960E and 3980E. If you change these settings, to make sure they take affect, you should reboot your device.

config system np6

edit np6_0

set ipsec-outbound-hash {disable | enable}

set ipsec-ob-hash-function {switch-group-hash | global- hash | global-hash-weighted | round-robin-switch-group | round-robin-global}

end

Where:

ipsec-outbound-hash is disabled by default. If you enable it you can set ipsec-ob-hash-function as follows:

switch-group-hash (the default) distribute outbound IPsec Security Association (SA) traffic to NP6 processors connected to the same switch as the interfaces that received the incoming traffic. This option, keeps all traffic on one switch and the NP6 processors connected to that switch, to improve performance.

global-hash distribute outbound IPsec SA traffic among all NP6 processors.

global-hash-weighted distribute outbound IPsec SA traffic from switch 1 among all NP6 processors with more sessions going to the NP6s connected to switch 0. This options is only recommended for the FortiGate-3980E because it is designed to weigh switch 0 higher to send more sessions to switch 0 which on the FortiGate-3980E has more NP6 processors connected to it. On the FortiGate-3960E both switches have the same number of NP6s so for best performance one switch shouldn't have a higher weight.

round-robin-switch-group round-robin distribution of outbound IPsec SA traffic among the NP6 processors connected to the same switch.

round-robin-global round-robin distribution of outbound IPsec SA traffic among all NP6 processors.

Improving LAG performance on some FortiGate models

Some FortiGate models support the following command that might improve link aggregation (LAG) performance by reducing the number of dropped packets that can occur with some LAG configurations.

config system np6

edit np6_0

set lag-npu {disable | enable}

end

If you notice NP6- accelerated LAG interface performance is lower than expected or if you notice excessive dropped packets for sessions over LAG interfaces, you could see if your FortiGate has this option and if available try enabling it and see if performance improves.

You should enable lag-npu for every NP6 processor that is connected to a LAG interface.

system np6

Configure a wide range of settings for your FortiGate's NP6 processors including enabling/disabling fastpath and low latency, enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic. You can also configure different settings for each NP6 processor. The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set fastpath {enable | disable}

Removed and added to config system npu. Enable or disable NP4 or NP6 offloading (also called fast path).

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ipsec-outbound-hash {disable | enable}

set ipsec-ob-hash-function {switch-group-hash | global- hash | global-hash-weighted | round-robin-switch-group | round-robin-global}

New options to optimize IPsec VPN performance on FortiGate-3960E and 3980E platforms.

config system np6
    edit {name}
    # Configure NP6 attributes.
        set name {string}   Device Name. size[31]
        set fastpath {disable | enable}   Enable/disable NP4 or NP6 offloading (also called fast path).
        set low-latency-mode {disable | enable}   Enable/disable low latency mode.
        set per-session-accounting {disable | traffic-log-only | enable}   Enable/disable per-session accounting.
        set garbage-session-collector {disable | enable}   Enable/disable garbage session collector.
        set session-collector-interval {integer}   Set garbage session collection cleanup interval (1 - 100 sec, default 64). range[1-100]
        set session-timeout-interval {integer}   Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec). range[0-1000]
        set session-timeout-random-range {integer}   Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec). range[0-1000]
        set session-timeout-fixed {disable | enable}   {disable | enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.
        set ipsec-outbound-hash {disable | enable}   Enable/disable hash function for IPsec outbound traffic.
        set ipsec-ob-hash-function {option}   Set hash function for IPSec outbound.
                switch-group-hash         Hash outbound SA traffic within NPs connected to same switch.
                global-hash               Hash outbound SA traffic among all NPs.
                global-hash-weighted      Hash outbound SA traffic among all NPs with more weights on NPs connected to switch 0. It's applicable to the case that ingress traffic is from switch 1.
                round-robin-switch-group  Round-robin outbound SA traffic within NPs connected to same switch.
                round-robin-global        Round-robin outbound SA traffic among all NPs.
        config hpe
            set tcpsyn-max {integer}   Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000]
            set tcp-max {integer}   Maximum TCP packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000]
            set udp-max {integer}   Maximum UDP packet rate (10K - 4G pps, default = 5M pps). range[10000-4000000000]
            set icmp-max {integer}   Maximum ICMP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set sctp-max {integer}   Maximum SCTP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set esp-max {integer}   Maximum ESP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set ip-frag-max {integer}   Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set ip-others-max {integer}   Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps). range[10000-4000000000]
            set arp-max {integer}   Maximum ARP packet rate (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set l2-others-max {integer}   Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps). range[10000-4000000000]
            set pri-type-max {integer}   Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. range[10000-4000000000]
            set enable-shaper {disable | enable}   Enable/Disable NPU host protection engine (HPE) shaper.
        config fp-anomaly
            set tcp-syn-fin {allow | drop | trap-to-host}   TCP SYN flood SYN/FIN flag set anomalies. 
                    allow         Allow TCP packets with syn_fin flag set to pass.
                    drop          Drop TCP packets with syn_fin flag set.
                    trap-to-host  Forward TCP packets with syn_fin flag set to FortiOS.
            set tcp-fin-noack {allow | drop | trap-to-host}   TCP SYN flood with FIN flag set without ACK setting anomalies.
                    allow         Allow TCP packets with FIN flag set without ack setting to pass.
                    drop          Drop TCP packets with FIN flag set without ack setting.
                    trap-to-host  Forward TCP packets with FIN flag set without ack setting to FortiOS.
            set tcp-fin-only {allow | drop | trap-to-host}   TCP SYN flood with only FIN flag set anomalies.
                    allow         Allow TCP packets with FIN flag set only to pass.
                    drop          Drop TCP packets with FIN flag set only.
                    trap-to-host  Forward TCP packets with FIN flag set only to FortiOS.
            set tcp-no-flag {allow | drop | trap-to-host}   TCP SYN flood with no flag set anomalies.
                    allow         Allow TCP packets without flag set to pass.
                    drop          Drop TCP packets without flag set.
                    trap-to-host  Forward TCP packets without flag set to FortiOS.
            set tcp-syn-data {allow | drop | trap-to-host}   TCP SYN flood packets with data anomalies.
                    allow         Allow TCP syn packets with data to pass.
                    drop          Drop TCP syn packets with data.
                    trap-to-host  Forward TCP syn packets with data to FortiOS.
            set tcp-winnuke {allow | drop | trap-to-host}   TCP WinNuke anomalies.
                    allow         Allow TCP packets winnuke attack to pass.
                    drop          Drop TCP packets winnuke attack.
                    trap-to-host  Forward TCP packets winnuke attack to FortiOS.
            set tcp-land {allow | drop | trap-to-host}   TCP land anomalies.
                    allow         Allow TCP land attack to pass.
                    drop          Drop TCP land attack.
                    trap-to-host  Forward TCP land attack to FortiOS.
            set udp-land {allow | drop | trap-to-host}   UDP land anomalies.
                    allow         Allow UDP land attack to pass.
                    drop          Drop UDP land attack.
                    trap-to-host  Forward UDP land attack to FortiOS.
            set icmp-land {allow | drop | trap-to-host}   ICMP land anomalies.
                    allow         Allow ICMP land attack to pass.
                    drop          Drop ICMP land attack.
                    trap-to-host  Forward ICMP land attack to FortiOS.
            set icmp-frag {allow | drop | trap-to-host}   Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.
                    allow         Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
                    drop          Drop L3 fragment packet with L4 protocol as ICMP attack.
                    trap-to-host  Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
            set ipv4-land {allow | drop | trap-to-host}   Land anomalies.
                    allow         Allow IPv4 land attack to pass.
                    drop          Drop IPv4 land attack.
                    trap-to-host  Forward IPv4 land attack to FortiOS.
            set ipv4-proto-err {allow | drop | trap-to-host}   Invalid layer 4 protocol anomalies.
                    allow         Allow IPv4 invalid L4 protocol to pass.
                    drop          Drop IPv4 invalid L4 protocol.
                    trap-to-host  Forward IPv4 invalid L4 protocol to FortiOS.
            set ipv4-unknopt {allow | drop | trap-to-host}   Unknown option anomalies.
                    allow         Allow IPv4 with unknown options to pass.
                    drop          Drop IPv4 with unknown options.
                    trap-to-host  Forward IPv4 with unknown options to FortiOS.
            set ipv4-optrr {allow | drop | trap-to-host}   Record route option anomalies.
                    allow         Allow IPv4 with record route option to pass.
                    drop          Drop IPv4 with record route option.
                    trap-to-host  Forward IPv4 with record route option to FortiOS.
            set ipv4-optssrr {allow | drop | trap-to-host}   Strict source record route option anomalies.
                    allow         Allow IPv4 with strict source record route option to pass.
                    drop          Drop IPv4 with strict source record route option.
                    trap-to-host  Forward IPv4 with strict source record route option to FortiOS.
            set ipv4-optlsrr {allow | drop | trap-to-host}   Loose source record route option anomalies.
                    allow         Allow IPv4 with loose source record route option to pass.
                    drop          Drop IPv4 with loose source record route option.
                    trap-to-host  Forward IPv4 with loose source record route option to FortiOS.
            set ipv4-optstream {allow | drop | trap-to-host}   Stream option anomalies.
                    allow         Allow IPv4 with stream option to pass.
                    drop          Drop IPv4 with stream option.
                    trap-to-host  Forward IPv4 with stream option to FortiOS.
            set ipv4-optsecurity {allow | drop | trap-to-host}   Security option anomalies.
                    allow         Allow IPv4 with security option to pass.
                    drop          Drop IPv4 with security option.
                    trap-to-host  Forward IPv4 with security option to FortiOS.
            set ipv4-opttimestamp {allow | drop | trap-to-host}   Timestamp option anomalies.
                    allow         Allow IPv4 with timestamp option to pass.
                    drop          Drop IPv4 with timestamp option.
                    trap-to-host  Forward IPv4 with timestamp option to FortiOS.
            set ipv4-csum-err {drop | trap-to-host}   Invalid IPv4 IP checksum anomalies.
                    drop          Drop IPv4 invalid IP checksum.
                    trap-to-host  Forward IPv4 invalid IP checksum to main CPU for processing.
            set tcp-csum-err {drop | trap-to-host}   Invalid IPv4 TCP checksum anomalies.
                    drop          Drop IPv4 invalid TCP checksum.
                    trap-to-host  Forward IPv4 invalid TCP checksum to main CPU for processing.
            set udp-csum-err {drop | trap-to-host}   Invalid IPv4 UDP checksum anomalies.
                    drop          Drop IPv4 invalid UDP checksum.
                    trap-to-host  Forward IPv4 invalid UDP checksum to main CPU for processing.
            set icmp-csum-err {drop | trap-to-host}   Invalid IPv4 ICMP checksum anomalies.
                    drop          Drop IPv4 invalid ICMP checksum.
                    trap-to-host  Forward IPv4 invalid ICMP checksum to main CPU for processing.
            set ipv6-land {allow | drop | trap-to-host}   Land anomalies.
                    allow         Allow IPv6 land attack to pass.
                    drop          Drop IPv6 land attack.
                    trap-to-host  Forward IPv6 land attack to FortiOS.
            set ipv6-proto-err {allow | drop | trap-to-host}   Layer 4 invalid protocol anomalies.
                    allow         Allow IPv6 L4 invalid protocol to pass.
                    drop          Drop IPv6 L4 invalid protocol.
                    trap-to-host  Forward IPv6 L4 invalid protocol to FortiOS.
            set ipv6-unknopt {allow | drop | trap-to-host}   Unknown option anomalies.
                    allow         Allow IPv6 with unknown options to pass.
                    drop          Drop IPv6 with unknown options.
                    trap-to-host  Forward IPv6 with unknown options to FortiOS.
            set ipv6-saddr-err {allow | drop | trap-to-host}   Source address as multicast anomalies.
                    allow         Allow IPv6 with source address as multicast to pass.
                    drop          Drop IPv6 with source address as multicast.
                    trap-to-host  Forward IPv6 with source address as multicast to FortiOS.
            set ipv6-daddr-err {allow | drop | trap-to-host}   Destination address as unspecified or loopback address anomalies.
                    allow         Allow IPv6 with destination address as unspecified or loopback address to pass.
                    drop          Drop IPv6 with destination address as unspecified or loopback address.
                    trap-to-host  Forward IPv6 with destination address as unspecified or loopback address to FortiOS.
            set ipv6-optralert {allow | drop | trap-to-host}   Router alert option anomalies.
                    allow         Allow IPv6 with router alert option to pass.
                    drop          Drop IPv6 with router alert option.
                    trap-to-host  Forward IPv6 with router alert option to FortiOS.
            set ipv6-optjumbo {allow | drop | trap-to-host}   Jumbo options anomalies.
                    allow         Allow IPv6 with jumbo option to pass.
                    drop          Drop IPv6 with jumbo option.
                    trap-to-host  Forward IPv6 with jumbo option to FortiOS.
            set ipv6-opttunnel {allow | drop | trap-to-host}   Tunnel encapsulation limit option anomalies.
                    allow         Allow IPv6 with tunnel encapsulation limit to pass.
                    drop          Drop IPv6 with tunnel encapsulation limit.
                    trap-to-host  Forward IPv6 with tunnel encapsulation limit to FortiOS.
            set ipv6-opthomeaddr {allow | drop | trap-to-host}   Home address option anomalies.
                    allow         Allow IPv6 with home address option to pass.
                    drop          Drop IPv6 with home address option.
                    trap-to-host  Forward IPv6 with home address option to FortiOS.
            set ipv6-optnsap {allow | drop | trap-to-host}   Network service access point address option anomalies.
                    allow         Allow IPv6 with network service access point address option to pass.
                    drop          Drop IPv6 with network service access point address option.
                    trap-to-host  Forward IPv6 with network service access point address option to FortiOS.
            set ipv6-optendpid {allow | drop | trap-to-host}   End point identification anomalies.
                    allow         Allow IPv6 with end point identification option to pass.
                    drop          Drop IPv6 with end point identification option.
                    trap-to-host  Forward IPv6 with end point identification option to FortiOS.
            set ipv6-optinvld {allow | drop | trap-to-host}   Invalid option anomalies.Invalid option anomalies.
                    allow         Allow IPv6 with invalid option to pass.
                    drop          Drop IPv6 with invalid option.
                    trap-to-host  Forward IPv6 with invalid option to FortiOS.
    next
end

Additional information

The following section is for those options that require additional explanation.

name {np6_0 | np6_1 |...}

Change the settings for one of the FortiGate unit's NP6 processors.

per-session-accounting {all-enable | disable | enable-by-log}

Per-session accounting is a logging feature that allows the FortiGate to report the correct bytes/pkt numbers per session for sessions offloaded to an NP6 processor. This information appears in traffic log messages as well as in FortiView. When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions. You can hover over the NP icon to see some information about the offloaded sessions. By default, per-session accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or select all-enable to enable per-session accounting for all sessions whether or traffic logging is enabled or not. Per-session accounting can affect NP6 offloading performance. So you should only enable per-session accounting if you need the accounting information. Enabling per-session accounting only supports traffic log messages and does not provide traffic flow data for sFlow or NetFlow.

garbage-session-collector {disable | enable}

Enable deleting expired or garbage sessions. Disabled by default.

session-collector-interval <interval>

Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. The default is 64 seconds.

session-timeout-interval <interval>

Set the timeout for inactive sessions. The range is 0 to 1000 seconds. The default is 40 seconds.

session-timeout-random-range <range>

Set the random timeout for inactive sessions. The range is 0 to 1000 seconds. The default is 8 seconds.

session-timeout-fixed {disable | enable}

Enable to force checking for and removing inactive NP6 sessions at thesession-timeout-intervaltime interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. Disabled by default.

config fp-anomaly-v4

Configure how the NP6 processor does IPv4 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy but the anomaly protection is done by the CPU instead of the NP6.

tcp-syn-fin {allow | drop | trap-to-host}

Detect TCP SYN flood SYN/FIN flag set anomalies. Default is allow.

tcp-fin-noack {allow | drop | trap-to-host}

Detect TCP SYN flood with FIN flag set without ACK setting anomalies. Default is trap-to-host.

tcp-fin-only {allow | drop | trap-to-host}

Detect TCP SYN flood with only FIN flag set anomalies. Default is trap-to-host.

tcp-no-flag {allow | drop | trap-to-host}

Detect TCP SYN flood with no flag set anomalies. Default is allow.

tcp-syn-data {allow | drop | trap-to-host}

Detect TCP SYN flood packets with data anomalies. Default is allow.

tcp-winnuke {allow | drop | trap-to-host}

Detect TCP WinNuke anomalies. Default is trap-to-host.

tcp-land {allow | drop | trap-to-host}

Detect TCP land anomalies. Default is trap-to-host.

udp-land {allow | drop | trap-to-host}

Detect UDP land anomalies. Default is trap-to-host.

icmp-land {allow | drop | trap-to-host}

Detect ICMP land anomalies. Default is trap-to-host.

icmp-frag {allow | drop | trap-to-host}

Detect Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies. Default is allow.

ipv4-land {allow | drop | trap-to-host}

Detect IPv4 land anomalies. Default is trap-to-host.

ipv4-proto-err {allow | drop | trap-to-host}

Detect IPv4 invalid layer 4 protocol anomalies. Default is trap-to-host. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

ipv4-unknopt {allow | drop | trap-to-host}

Detect IPv4 unknown option anomalies. Default is trap-to-host.

ipv4-optrr {allow | drop | trap-to-host}

Detect IPv4 record route option anomalies. Default is trap-to-host.

ipv4-optssrr {allow | drop | trap-to-host}

Detect IPv4 strict source record route option anomalies. Default is trap-to-host.

ipv4-optlsrr {allow | drop | trap-to-host}

Detect IPv4 loose source record route option anomalies. Default is trap-to-host.

ipv4-optstream {allow | drop | trap-to-host}

Detect IPv4 stream option anomalies.. Default is trap-to-host.

ipv4-optsecurity {allow | drop | trap-to-host}

Detect IPv4 security option anomalies. Default is trap-to-host.

ipv4-opttimestamp {allow | drop | trap-to-host}

Detect IPv4 timestamp option anomalies. Default is trap-to-host.

config fp-anomaly-v6

Configure how the NP6 processor does IPv6 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called “trapto- host”). Selecting “trap-to-host” turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy.

ipv6-land {allow | drop | trap-to-host}

Detect IPv6 land anomalies. Default is trap-to-host.

ipv6-proto-err {allow | drop | trap-to-host}

Detect layer 4 invalid protocol anomalies. Default is trap-to-host.

ipv6-unknopt {allow | drop | trap-to-host}

Detect IPv6 unknown option anomalies. Default is trap-to-host.

ipv6-saddr-err {allow | drop | trap-to-host}

Detect source address as multicast anomalies. Default is trap-to-host.

ipv6-daddr-err {allow | drop | trap-to-host}

Detect IPv6 destination address as unspecified or loopback address anomalies. Default is trap-to-host.

ipv6-optralert {allow | drop | trap-to-host}

Detect IPv6 router alert option anomalies. Default is trap-to-host.

ipv6-optjumbo {allow | drop | trap-to-host}

Detect IPv6 jumbo options anomalies. Default is trap-to-host.

ipv6-opttunnel {allow | drop | trap-to-host}

Detect IPv6 tunnel encapsulation limit option anomalies. Default is trap-to-host.

ipv6-opthomeaddr {allow | drop | trap-to-host}

Detect IPv6 home address option anomalies. Default is trap-to-host.

ipv6-optnsap {allow | drop | trap-to-host}

Detect IPv6 network service access point address option anomalies. Default is trap-to-host.

ipv6-optendpid {allow | drop | trap-to-host}

Detect IPv6 end point identification anomalies. Default is trap-to-host.

ipv6-optinvld {allow | drop | trap-to-host}

Detect IPv6 invalid option anomalies. Default is trap-to-host.

Optimizing FortiGate-3960E and 3980E IPsec VPN performance

You can use the following command to configure outbound hashing to improve IPsec performance for the FortiGate-3960E and 3980E. If you change these settings, to make sure they take affect, you should reboot your device.

config system np6

edit np6_0

set ipsec-outbound-hash {disable | enable}

set ipsec-ob-hash-function {switch-group-hash | global- hash | global-hash-weighted | round-robin-switch-group | round-robin-global}

end

Where:

ipsec-outbound-hash is disabled by default. If you enable it you can set ipsec-ob-hash-function as follows:

switch-group-hash (the default) distribute outbound IPsec Security Association (SA) traffic to NP6 processors connected to the same switch as the interfaces that received the incoming traffic. This option, keeps all traffic on one switch and the NP6 processors connected to that switch, to improve performance.

global-hash distribute outbound IPsec SA traffic among all NP6 processors.

global-hash-weighted distribute outbound IPsec SA traffic from switch 1 among all NP6 processors with more sessions going to the NP6s connected to switch 0. This options is only recommended for the FortiGate-3980E because it is designed to weigh switch 0 higher to send more sessions to switch 0 which on the FortiGate-3980E has more NP6 processors connected to it. On the FortiGate-3960E both switches have the same number of NP6s so for best performance one switch shouldn't have a higher weight.

round-robin-switch-group round-robin distribution of outbound IPsec SA traffic among the NP6 processors connected to the same switch.

round-robin-global round-robin distribution of outbound IPsec SA traffic among all NP6 processors.

Improving LAG performance on some FortiGate models

Some FortiGate models support the following command that might improve link aggregation (LAG) performance by reducing the number of dropped packets that can occur with some LAG configurations.

config system np6

edit np6_0

set lag-npu {disable | enable}

end

If you notice NP6- accelerated LAG interface performance is lower than expected or if you notice excessive dropped packets for sessions over LAG interfaces, you could see if your FortiGate has this option and if available try enabling it and see if performance improves.

You should enable lag-npu for every NP6 processor that is connected to a LAG interface.