Fortinet Document Library

Version:

Version:

Version:


Table of Contents

CLI Reference

Copy Link

Configure NP6 attributes.

  config system np6
      Description: Configure NP6 attributes.
      edit <name>
          set fastpath [disable|enable]
          set low-latency-mode [disable|enable]
          set per-session-accounting [disable|traffic-log-only|...]
          set garbage-session-collector [disable|enable]
          set session-collector-interval {integer}
          set session-timeout-interval {integer}
          set session-timeout-random-range {integer}
          set session-timeout-fixed [disable|enable]
          config hpe
              Description: HPE configuration.
              set tcpsyn-max {integer}
              set tcp-max {integer}
              set udp-max {integer}
              set icmp-max {integer}
              set sctp-max {integer}
              set esp-max {integer}
              set ip-frag-max {integer}
              set ip-others-max {integer}
              set arp-max {integer}
              set l2-others-max {integer}
              set pri-type-max {integer}
              set enable-shaper [disable|enable]
          end
          config fp-anomaly
              Description: NP6 IPv4 anomaly protection. trap-to-host forwards anomaly sessions to the CPU.
              set tcp-syn-fin [allow|drop|...]
              set tcp-fin-noack [allow|drop|...]
              set tcp-fin-only [allow|drop|...]
              set tcp-no-flag [allow|drop|...]
              set tcp-syn-data [allow|drop|...]
              set tcp-winnuke [allow|drop|...]
              set tcp-land [allow|drop|...]
              set udp-land [allow|drop|...]
              set icmp-land [allow|drop|...]
              set icmp-frag [allow|drop|...]
              set ipv4-land [allow|drop|...]
              set ipv4-proto-err [allow|drop|...]
              set ipv4-unknopt [allow|drop|...]
              set ipv4-optrr [allow|drop|...]
              set ipv4-optssrr [allow|drop|...]
              set ipv4-optlsrr [allow|drop|...]
              set ipv4-optstream [allow|drop|...]
              set ipv4-optsecurity [allow|drop|...]
              set ipv4-opttimestamp [allow|drop|...]
              set ipv4-csum-err [drop|trap-to-host]
              set tcp-csum-err [drop|trap-to-host]
              set udp-csum-err [drop|trap-to-host]
              set icmp-csum-err [drop|trap-to-host]
              set ipv6-land [allow|drop|...]
              set ipv6-proto-err [allow|drop|...]
              set ipv6-unknopt [allow|drop|...]
              set ipv6-saddr-err [allow|drop|...]
              set ipv6-daddr-err [allow|drop|...]
              set ipv6-optralert [allow|drop|...]
              set ipv6-optjumbo [allow|drop|...]
              set ipv6-opttunnel [allow|drop|...]
              set ipv6-opthomeaddr [allow|drop|...]
              set ipv6-optnsap [allow|drop|...]
              set ipv6-optendpid [allow|drop|...]
              set ipv6-optinvld [allow|drop|...]
          end
      next
  end

config system np6

Parameter Name Description Type Size
fastpath Enable/disable NP4 or NP6 offloading (also called fast path).
disable: Disable NP4 or NP6 offloading (fast path).
enable: Enable NP4 or NP6 offloading (fast path).
option -
low-latency-mode Enable/disable low latency mode.
disable: Disable low latency mode.
enable: Enable low latency mode.
option -
per-session-accounting Enable/disable per-session accounting.
disable: Disable per-session accounting.
traffic-log-only: Per-session accounting only for sessions with traffic logging enabled in firewall policy.
enable: Per-session accounting for all sessions.
option -
garbage-session-collector Enable/disable garbage session collector.
disable: Disable garbage session collector.
enable: Enable garbage session collector.
option -
session-collector-interval Set garbage session collection cleanup interval (1 - 100 sec, default 64). integer Minimum value: 1 Maximum value: 100
session-timeout-interval Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec). integer Minimum value: 0 Maximum value: 1000
session-timeout-random-range Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec). integer Minimum value: 0 Maximum value: 1000
session-timeout-fixed {disable enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.
disable: Disable Refresh NP6 sessions at the configured fixed interval.
enable: Enable Refresh NP6 sessions randomly where the time between refreshes is within the random range.
option -

config hpe

Parameter Name Description Type Size
tcpsyn-max Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
tcp-max Maximum TCP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
udp-max Maximum UDP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
icmp-max Maximum ICMP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
sctp-max Maximum SCTP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
esp-max Maximum ESP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
ip-frag-max Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
ip-others-max Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
arp-max Maximum ARP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
l2-others-max Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
pri-type-max Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. integer Minimum value: 10000 Maximum value: 4000000000
enable-shaper Enable/Disable NPU host protection engine (HPE) shaper.
disable: Disable NPU HPE shaping based on packet type.
enable: Enable NPU HPE shaping based on packet type.
option -

config fp-anomaly

Parameter Name Description Type Size
tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies.
allow: Allow TCP packets with syn_fin flag set to pass.
drop: Drop TCP packets with syn_fin flag set.
trap-to-host: Forward TCP packets with syn_fin flag set to FortiOS.
option -
tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting anomalies.
allow: Allow TCP packets with FIN flag set without ack setting to pass.
drop: Drop TCP packets with FIN flag set without ack setting.
trap-to-host: Forward TCP packets with FIN flag set without ack setting to FortiOS.
option -
tcp-fin-only TCP SYN flood with only FIN flag set anomalies.
allow: Allow TCP packets with FIN flag set only to pass.
drop: Drop TCP packets with FIN flag set only.
trap-to-host: Forward TCP packets with FIN flag set only to FortiOS.
option -
tcp-no-flag TCP SYN flood with no flag set anomalies.
allow: Allow TCP packets without flag set to pass.
drop: Drop TCP packets without flag set.
trap-to-host: Forward TCP packets without flag set to FortiOS.
option -
tcp-syn-data TCP SYN flood packets with data anomalies.
allow: Allow TCP syn packets with data to pass.
drop: Drop TCP syn packets with data.
trap-to-host: Forward TCP syn packets with data to FortiOS.
option -
tcp-winnuke TCP WinNuke anomalies.
allow: Allow TCP packets winnuke attack to pass.
drop: Drop TCP packets winnuke attack.
trap-to-host: Forward TCP packets winnuke attack to FortiOS.
option -
tcp-land TCP land anomalies.
allow: Allow TCP land attack to pass.
drop: Drop TCP land attack.
trap-to-host: Forward TCP land attack to FortiOS.
option -
udp-land UDP land anomalies.
allow: Allow UDP land attack to pass.
drop: Drop UDP land attack.
trap-to-host: Forward UDP land attack to FortiOS.
option -
icmp-land ICMP land anomalies.
allow: Allow ICMP land attack to pass.
drop: Drop ICMP land attack.
trap-to-host: Forward ICMP land attack to FortiOS.
option -
icmp-frag Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.
allow: Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
drop: Drop L3 fragment packet with L4 protocol as ICMP attack.
trap-to-host: Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
option -
ipv4-land Land anomalies.
allow: Allow IPv4 land attack to pass.
drop: Drop IPv4 land attack.
trap-to-host: Forward IPv4 land attack to FortiOS.
option -
ipv4-proto-err Invalid layer 4 protocol anomalies.
allow: Allow IPv4 invalid L4 protocol to pass.
drop: Drop IPv4 invalid L4 protocol.
trap-to-host: Forward IPv4 invalid L4 protocol to FortiOS.
option -
ipv4-unknopt Unknown option anomalies.
allow: Allow IPv4 with unknown options to pass.
drop: Drop IPv4 with unknown options.
trap-to-host: Forward IPv4 with unknown options to FortiOS.
option -
ipv4-optrr Record route option anomalies.
allow: Allow IPv4 with record route option to pass.
drop: Drop IPv4 with record route option.
trap-to-host: Forward IPv4 with record route option to FortiOS.
option -
ipv4-optssrr Strict source record route option anomalies.
allow: Allow IPv4 with strict source record route option to pass.
drop: Drop IPv4 with strict source record route option.
trap-to-host: Forward IPv4 with strict source record route option to FortiOS.
option -
ipv4-optlsrr Loose source record route option anomalies.
allow: Allow IPv4 with loose source record route option to pass.
drop: Drop IPv4 with loose source record route option.
trap-to-host: Forward IPv4 with loose source record route option to FortiOS.
option -
ipv4-optstream Stream option anomalies.
allow: Allow IPv4 with stream option to pass.
drop: Drop IPv4 with stream option.
trap-to-host: Forward IPv4 with stream option to FortiOS.
option -
ipv4-optsecurity Security option anomalies.
allow: Allow IPv4 with security option to pass.
drop: Drop IPv4 with security option.
trap-to-host: Forward IPv4 with security option to FortiOS.
option -
ipv4-opttimestamp Timestamp option anomalies.
allow: Allow IPv4 with timestamp option to pass.
drop: Drop IPv4 with timestamp option.
trap-to-host: Forward IPv4 with timestamp option to FortiOS.
option -
ipv4-csum-err Invalid IPv4 IP checksum anomalies.
drop: Drop IPv4 invalid IP checksum.
trap-to-host: Forward IPv4 invalid IP checksum to main CPU for processing.
option -
tcp-csum-err Invalid IPv4 TCP checksum anomalies.
drop: Drop IPv4 invalid TCP checksum.
trap-to-host: Forward IPv4 invalid TCP checksum to main CPU for processing.
option -
udp-csum-err Invalid IPv4 UDP checksum anomalies.
drop: Drop IPv4 invalid UDP checksum.
trap-to-host: Forward IPv4 invalid UDP checksum to main CPU for processing.
option -
icmp-csum-err Invalid IPv4 ICMP checksum anomalies.
drop: Drop IPv4 invalid ICMP checksum.
trap-to-host: Forward IPv4 invalid ICMP checksum to main CPU for processing.
option -
ipv6-land Land anomalies.
allow: Allow IPv6 land attack to pass.
drop: Drop IPv6 land attack.
trap-to-host: Forward IPv6 land attack to FortiOS.
option -
ipv6-proto-err Layer 4 invalid protocol anomalies.
allow: Allow IPv6 L4 invalid protocol to pass.
drop: Drop IPv6 L4 invalid protocol.
trap-to-host: Forward IPv6 L4 invalid protocol to FortiOS.
option -
ipv6-unknopt Unknown option anomalies.
allow: Allow IPv6 with unknown options to pass.
drop: Drop IPv6 with unknown options.
trap-to-host: Forward IPv6 with unknown options to FortiOS.
option -
ipv6-saddr-err Source address as multicast anomalies.
allow: Allow IPv6 with source address as multicast to pass.
drop: Drop IPv6 with source address as multicast.
trap-to-host: Forward IPv6 with source address as multicast to FortiOS.
option -
ipv6-daddr-err Destination address as unspecified or loopback address anomalies.
allow: Allow IPv6 with destination address as unspecified or loopback address to pass.
drop: Drop IPv6 with destination address as unspecified or loopback address.
trap-to-host: Forward IPv6 with destination address as unspecified or loopback address to FortiOS.
option -
ipv6-optralert Router alert option anomalies.
allow: Allow IPv6 with router alert option to pass.
drop: Drop IPv6 with router alert option.
trap-to-host: Forward IPv6 with router alert option to FortiOS.
option -
ipv6-optjumbo Jumbo options anomalies.
allow: Allow IPv6 with jumbo option to pass.
drop: Drop IPv6 with jumbo option.
trap-to-host: Forward IPv6 with jumbo option to FortiOS.
option -
ipv6-opttunnel Tunnel encapsulation limit option anomalies.
allow: Allow IPv6 with tunnel encapsulation limit to pass.
drop: Drop IPv6 with tunnel encapsulation limit.
trap-to-host: Forward IPv6 with tunnel encapsulation limit to FortiOS.
option -
ipv6-opthomeaddr Home address option anomalies.
allow: Allow IPv6 with home address option to pass.
drop: Drop IPv6 with home address option.
trap-to-host: Forward IPv6 with home address option to FortiOS.
option -
ipv6-optnsap Network service access point address option anomalies.
allow: Allow IPv6 with network service access point address option to pass.
drop: Drop IPv6 with network service access point address option.
trap-to-host: Forward IPv6 with network service access point address option to FortiOS.
option -
ipv6-optendpid End point identification anomalies.
allow: Allow IPv6 with end point identification option to pass.
drop: Drop IPv6 with end point identification option.
trap-to-host: Forward IPv6 with end point identification option to FortiOS.
option -
ipv6-optinvld Invalid option anomalies.Invalid option anomalies.
allow: Allow IPv6 with invalid option to pass.
drop: Drop IPv6 with invalid option.
trap-to-host: Forward IPv6 with invalid option to FortiOS.
option -

Configure NP6 attributes.

  config system np6
      Description: Configure NP6 attributes.
      edit <name>
          set fastpath [disable|enable]
          set low-latency-mode [disable|enable]
          set per-session-accounting [disable|traffic-log-only|...]
          set garbage-session-collector [disable|enable]
          set session-collector-interval {integer}
          set session-timeout-interval {integer}
          set session-timeout-random-range {integer}
          set session-timeout-fixed [disable|enable]
          config hpe
              Description: HPE configuration.
              set tcpsyn-max {integer}
              set tcp-max {integer}
              set udp-max {integer}
              set icmp-max {integer}
              set sctp-max {integer}
              set esp-max {integer}
              set ip-frag-max {integer}
              set ip-others-max {integer}
              set arp-max {integer}
              set l2-others-max {integer}
              set pri-type-max {integer}
              set enable-shaper [disable|enable]
          end
          config fp-anomaly
              Description: NP6 IPv4 anomaly protection. trap-to-host forwards anomaly sessions to the CPU.
              set tcp-syn-fin [allow|drop|...]
              set tcp-fin-noack [allow|drop|...]
              set tcp-fin-only [allow|drop|...]
              set tcp-no-flag [allow|drop|...]
              set tcp-syn-data [allow|drop|...]
              set tcp-winnuke [allow|drop|...]
              set tcp-land [allow|drop|...]
              set udp-land [allow|drop|...]
              set icmp-land [allow|drop|...]
              set icmp-frag [allow|drop|...]
              set ipv4-land [allow|drop|...]
              set ipv4-proto-err [allow|drop|...]
              set ipv4-unknopt [allow|drop|...]
              set ipv4-optrr [allow|drop|...]
              set ipv4-optssrr [allow|drop|...]
              set ipv4-optlsrr [allow|drop|...]
              set ipv4-optstream [allow|drop|...]
              set ipv4-optsecurity [allow|drop|...]
              set ipv4-opttimestamp [allow|drop|...]
              set ipv4-csum-err [drop|trap-to-host]
              set tcp-csum-err [drop|trap-to-host]
              set udp-csum-err [drop|trap-to-host]
              set icmp-csum-err [drop|trap-to-host]
              set ipv6-land [allow|drop|...]
              set ipv6-proto-err [allow|drop|...]
              set ipv6-unknopt [allow|drop|...]
              set ipv6-saddr-err [allow|drop|...]
              set ipv6-daddr-err [allow|drop|...]
              set ipv6-optralert [allow|drop|...]
              set ipv6-optjumbo [allow|drop|...]
              set ipv6-opttunnel [allow|drop|...]
              set ipv6-opthomeaddr [allow|drop|...]
              set ipv6-optnsap [allow|drop|...]
              set ipv6-optendpid [allow|drop|...]
              set ipv6-optinvld [allow|drop|...]
          end
      next
  end

config system np6

Parameter Name Description Type Size
fastpath Enable/disable NP4 or NP6 offloading (also called fast path).
disable: Disable NP4 or NP6 offloading (fast path).
enable: Enable NP4 or NP6 offloading (fast path).
option -
low-latency-mode Enable/disable low latency mode.
disable: Disable low latency mode.
enable: Enable low latency mode.
option -
per-session-accounting Enable/disable per-session accounting.
disable: Disable per-session accounting.
traffic-log-only: Per-session accounting only for sessions with traffic logging enabled in firewall policy.
enable: Per-session accounting for all sessions.
option -
garbage-session-collector Enable/disable garbage session collector.
disable: Disable garbage session collector.
enable: Enable garbage session collector.
option -
session-collector-interval Set garbage session collection cleanup interval (1 - 100 sec, default 64). integer Minimum value: 1 Maximum value: 100
session-timeout-interval Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec). integer Minimum value: 0 Maximum value: 1000
session-timeout-random-range Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec). integer Minimum value: 0 Maximum value: 1000
session-timeout-fixed {disable enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.
disable: Disable Refresh NP6 sessions at the configured fixed interval.
enable: Enable Refresh NP6 sessions randomly where the time between refreshes is within the random range.
option -

config hpe

Parameter Name Description Type Size
tcpsyn-max Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
tcp-max Maximum TCP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
udp-max Maximum UDP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
icmp-max Maximum ICMP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
sctp-max Maximum SCTP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
esp-max Maximum ESP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
ip-frag-max Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
ip-others-max Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
arp-max Maximum ARP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
l2-others-max Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
pri-type-max Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. integer Minimum value: 10000 Maximum value: 4000000000
enable-shaper Enable/Disable NPU host protection engine (HPE) shaper.
disable: Disable NPU HPE shaping based on packet type.
enable: Enable NPU HPE shaping based on packet type.
option -

config fp-anomaly

Parameter Name Description Type Size
tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies.
allow: Allow TCP packets with syn_fin flag set to pass.
drop: Drop TCP packets with syn_fin flag set.
trap-to-host: Forward TCP packets with syn_fin flag set to FortiOS.
option -
tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting anomalies.
allow: Allow TCP packets with FIN flag set without ack setting to pass.
drop: Drop TCP packets with FIN flag set without ack setting.
trap-to-host: Forward TCP packets with FIN flag set without ack setting to FortiOS.
option -
tcp-fin-only TCP SYN flood with only FIN flag set anomalies.
allow: Allow TCP packets with FIN flag set only to pass.
drop: Drop TCP packets with FIN flag set only.
trap-to-host: Forward TCP packets with FIN flag set only to FortiOS.
option -
tcp-no-flag TCP SYN flood with no flag set anomalies.
allow: Allow TCP packets without flag set to pass.
drop: Drop TCP packets without flag set.
trap-to-host: Forward TCP packets without flag set to FortiOS.
option -
tcp-syn-data TCP SYN flood packets with data anomalies.
allow: Allow TCP syn packets with data to pass.
drop: Drop TCP syn packets with data.
trap-to-host: Forward TCP syn packets with data to FortiOS.
option -
tcp-winnuke TCP WinNuke anomalies.
allow: Allow TCP packets winnuke attack to pass.
drop: Drop TCP packets winnuke attack.
trap-to-host: Forward TCP packets winnuke attack to FortiOS.
option -
tcp-land TCP land anomalies.
allow: Allow TCP land attack to pass.
drop: Drop TCP land attack.
trap-to-host: Forward TCP land attack to FortiOS.
option -
udp-land UDP land anomalies.
allow: Allow UDP land attack to pass.
drop: Drop UDP land attack.
trap-to-host: Forward UDP land attack to FortiOS.
option -
icmp-land ICMP land anomalies.
allow: Allow ICMP land attack to pass.
drop: Drop ICMP land attack.
trap-to-host: Forward ICMP land attack to FortiOS.
option -
icmp-frag Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.
allow: Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
drop: Drop L3 fragment packet with L4 protocol as ICMP attack.
trap-to-host: Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
option -
ipv4-land Land anomalies.
allow: Allow IPv4 land attack to pass.
drop: Drop IPv4 land attack.
trap-to-host: Forward IPv4 land attack to FortiOS.
option -
ipv4-proto-err Invalid layer 4 protocol anomalies.
allow: Allow IPv4 invalid L4 protocol to pass.
drop: Drop IPv4 invalid L4 protocol.
trap-to-host: Forward IPv4 invalid L4 protocol to FortiOS.
option -
ipv4-unknopt Unknown option anomalies.
allow: Allow IPv4 with unknown options to pass.
drop: Drop IPv4 with unknown options.
trap-to-host: Forward IPv4 with unknown options to FortiOS.
option -
ipv4-optrr Record route option anomalies.
allow: Allow IPv4 with record route option to pass.
drop: Drop IPv4 with record route option.
trap-to-host: Forward IPv4 with record route option to FortiOS.
option -
ipv4-optssrr Strict source record route option anomalies.
allow: Allow IPv4 with strict source record route option to pass.
drop: Drop IPv4 with strict source record route option.
trap-to-host: Forward IPv4 with strict source record route option to FortiOS.
option -
ipv4-optlsrr Loose source record route option anomalies.
allow: Allow IPv4 with loose source record route option to pass.
drop: Drop IPv4 with loose source record route option.
trap-to-host: Forward IPv4 with loose source record route option to FortiOS.
option -
ipv4-optstream Stream option anomalies.
allow: Allow IPv4 with stream option to pass.
drop: Drop IPv4 with stream option.
trap-to-host: Forward IPv4 with stream option to FortiOS.
option -
ipv4-optsecurity Security option anomalies.
allow: Allow IPv4 with security option to pass.
drop: Drop IPv4 with security option.
trap-to-host: Forward IPv4 with security option to FortiOS.
option -
ipv4-opttimestamp Timestamp option anomalies.
allow: Allow IPv4 with timestamp option to pass.
drop: Drop IPv4 with timestamp option.
trap-to-host: Forward IPv4 with timestamp option to FortiOS.
option -
ipv4-csum-err Invalid IPv4 IP checksum anomalies.
drop: Drop IPv4 invalid IP checksum.
trap-to-host: Forward IPv4 invalid IP checksum to main CPU for processing.
option -
tcp-csum-err Invalid IPv4 TCP checksum anomalies.
drop: Drop IPv4 invalid TCP checksum.
trap-to-host: Forward IPv4 invalid TCP checksum to main CPU for processing.
option -
udp-csum-err Invalid IPv4 UDP checksum anomalies.
drop: Drop IPv4 invalid UDP checksum.
trap-to-host: Forward IPv4 invalid UDP checksum to main CPU for processing.
option -
icmp-csum-err Invalid IPv4 ICMP checksum anomalies.
drop: Drop IPv4 invalid ICMP checksum.
trap-to-host: Forward IPv4 invalid ICMP checksum to main CPU for processing.
option -
ipv6-land Land anomalies.
allow: Allow IPv6 land attack to pass.
drop: Drop IPv6 land attack.
trap-to-host: Forward IPv6 land attack to FortiOS.
option -
ipv6-proto-err Layer 4 invalid protocol anomalies.
allow: Allow IPv6 L4 invalid protocol to pass.
drop: Drop IPv6 L4 invalid protocol.
trap-to-host: Forward IPv6 L4 invalid protocol to FortiOS.
option -
ipv6-unknopt Unknown option anomalies.
allow: Allow IPv6 with unknown options to pass.
drop: Drop IPv6 with unknown options.
trap-to-host: Forward IPv6 with unknown options to FortiOS.
option -
ipv6-saddr-err Source address as multicast anomalies.
allow: Allow IPv6 with source address as multicast to pass.
drop: Drop IPv6 with source address as multicast.
trap-to-host: Forward IPv6 with source address as multicast to FortiOS.
option -
ipv6-daddr-err Destination address as unspecified or loopback address anomalies.
allow: Allow IPv6 with destination address as unspecified or loopback address to pass.
drop: Drop IPv6 with destination address as unspecified or loopback address.
trap-to-host: Forward IPv6 with destination address as unspecified or loopback address to FortiOS.
option -
ipv6-optralert Router alert option anomalies.
allow: Allow IPv6 with router alert option to pass.
drop: Drop IPv6 with router alert option.
trap-to-host: Forward IPv6 with router alert option to FortiOS.
option -
ipv6-optjumbo Jumbo options anomalies.
allow: Allow IPv6 with jumbo option to pass.
drop: Drop IPv6 with jumbo option.
trap-to-host: Forward IPv6 with jumbo option to FortiOS.
option -
ipv6-opttunnel Tunnel encapsulation limit option anomalies.
allow: Allow IPv6 with tunnel encapsulation limit to pass.
drop: Drop IPv6 with tunnel encapsulation limit.
trap-to-host: Forward IPv6 with tunnel encapsulation limit to FortiOS.
option -
ipv6-opthomeaddr Home address option anomalies.
allow: Allow IPv6 with home address option to pass.
drop: Drop IPv6 with home address option.
trap-to-host: Forward IPv6 with home address option to FortiOS.
option -
ipv6-optnsap Network service access point address option anomalies.
allow: Allow IPv6 with network service access point address option to pass.
drop: Drop IPv6 with network service access point address option.
trap-to-host: Forward IPv6 with network service access point address option to FortiOS.
option -
ipv6-optendpid End point identification anomalies.
allow: Allow IPv6 with end point identification option to pass.
drop: Drop IPv6 with end point identification option.
trap-to-host: Forward IPv6 with end point identification option to FortiOS.
option -
ipv6-optinvld Invalid option anomalies.Invalid option anomalies.
allow: Allow IPv6 with invalid option to pass.
drop: Drop IPv6 with invalid option.
trap-to-host: Forward IPv6 with invalid option to FortiOS.
option -