Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system np6

Configure NP6 attributes.

config system np6

Description: Configure NP6 attributes.

edit <name>

set fastpath [disable|enable]

set low-latency-mode [disable|enable]

set per-session-accounting [disable|traffic-log-only|...]

set garbage-session-collector [disable|enable]

set session-collector-interval {integer}

set session-timeout-interval {integer}

set session-timeout-random-range {integer}

set session-timeout-fixed [disable|enable]

config hpe

Description: HPE configuration.

set tcpsyn-max {integer}

set tcp-max {integer}

set udp-max {integer}

set icmp-max {integer}

set sctp-max {integer}

set esp-max {integer}

set ip-frag-max {integer}

set ip-others-max {integer}

set arp-max {integer}

set l2-others-max {integer}

set pri-type-max {integer}

set enable-shaper [disable|enable]

end

config fp-anomaly

Description: NP6 IPv4 anomaly protection. trap-to-host forwards anomaly sessions to the CPU.

set tcp-syn-fin [allow|drop|...]

set tcp-fin-noack [allow|drop|...]

set tcp-fin-only [allow|drop|...]

set tcp-no-flag [allow|drop|...]

set tcp-syn-data [allow|drop|...]

set tcp-winnuke [allow|drop|...]

set tcp-land [allow|drop|...]

set udp-land [allow|drop|...]

set icmp-land [allow|drop|...]

set icmp-frag [allow|drop|...]

set ipv4-land [allow|drop|...]

set ipv4-proto-err [allow|drop|...]

set ipv4-unknopt [allow|drop|...]

set ipv4-optrr [allow|drop|...]

set ipv4-optssrr [allow|drop|...]

set ipv4-optlsrr [allow|drop|...]

set ipv4-optstream [allow|drop|...]

set ipv4-optsecurity [allow|drop|...]

set ipv4-opttimestamp [allow|drop|...]

set ipv4-csum-err [drop|trap-to-host]

set tcp-csum-err [drop|trap-to-host]

set udp-csum-err [drop|trap-to-host]

set icmp-csum-err [drop|trap-to-host]

set ipv6-land [allow|drop|...]

set ipv6-proto-err [allow|drop|...]

set ipv6-unknopt [allow|drop|...]

set ipv6-saddr-err [allow|drop|...]

set ipv6-daddr-err [allow|drop|...]

set ipv6-optralert [allow|drop|...]

set ipv6-optjumbo [allow|drop|...]

set ipv6-opttunnel [allow|drop|...]

set ipv6-opthomeaddr [allow|drop|...]

set ipv6-optnsap [allow|drop|...]

set ipv6-optendpid [allow|drop|...]

set ipv6-optinvld [allow|drop|...]

end

next

end

config system np6

Parameter name

Description

Type

Size

fastpath

Enable/disable NP4 or NP6 offloading (also called fast path).

option

-

 

Option

Description

disable

Disable NP4 or NP6 offloading (fast path).

enable

Enable NP4 or NP6 offloading (fast path).

low-latency-mode

Enable/disable low latency mode.

option

-

 

Option

Description

disable

Disable low latency mode.

enable

Enable low latency mode.

per-session-accounting

Enable/disable per-session accounting.

option

-

 

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

garbage-session-collector

Enable/disable garbage session collector.

option

-

 

Option

Description

disable

Disable garbage session collector.

enable

Enable garbage session collector.

session-collector-interval

Set garbage session collection cleanup interval (1 - 100 sec, default 64).

integer

Minimum value: 1 Maximum value: 100

session-timeout-interval

Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec).

integer

Minimum value: 0 Maximum value: 1000

session-timeout-random-range

Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec).

integer

Minimum value: 0 Maximum value: 1000

session-timeout-fixed

{disable | enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.

option

-

 

Option

Description

disable

Disable Refresh NP6 sessions at the configured fixed interval.

enable

Enable Refresh NP6 sessions randomly where the time between refreshes is within the random range.

config hpe

Parameter name

Description

Type

Size

tcpsyn-max

Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

tcp-max

Maximum TCP packet rate (10K - 4G pps, default = 5M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

udp-max

Maximum UDP packet rate (10K - 4G pps, default = 5M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

icmp-max

Maximum ICMP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

sctp-max

Maximum SCTP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

esp-max

Maximum ESP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

ip-frag-max

Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

ip-others-max

Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

arp-max

Maximum ARP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

l2-others-max

Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

pri-type-max

Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD.

integer

Minimum value: 10000 Maximum value: 4000000000

enable-shaper

Enable/Disable NPU host protection engine (HPE) shaper.

option

-

 

Option

Description

disable

Disable NPU HPE shaping based on packet type.

enable

Enable NPU HPE shaping based on packet type.

config fp-anomaly

Parameter name

Description

Type

Size

tcp-syn-fin

TCP SYN flood SYN/FIN flag set anomalies.

option

-

 

Option

Description

allow

Allow TCP packets with syn_fin flag set to pass.

drop

Drop TCP packets with syn_fin flag set.

trap-to-host

Forward TCP packets with syn_fin flag set to FortiOS.

tcp-fin-noack

TCP SYN flood with FIN flag set without ACK setting anomalies.

option

-

 

Option

Description

allow

Allow TCP packets with FIN flag set without ack setting to pass.

drop

Drop TCP packets with FIN flag set without ack setting.

trap-to-host

Forward TCP packets with FIN flag set without ack setting to FortiOS.

tcp-fin-only

TCP SYN flood with only FIN flag set anomalies.

option

-

 

Option

Description

allow

Allow TCP packets with FIN flag set only to pass.

drop

Drop TCP packets with FIN flag set only.

trap-to-host

Forward TCP packets with FIN flag set only to FortiOS.

tcp-no-flag

TCP SYN flood with no flag set anomalies.

option

-

 

Option

Description

allow

Allow TCP packets without flag set to pass.

drop

Drop TCP packets without flag set.

trap-to-host

Forward TCP packets without flag set to FortiOS.

tcp-syn-data

TCP SYN flood packets with data anomalies.

option

-

 

Option

Description

allow

Allow TCP syn packets with data to pass.

drop

Drop TCP syn packets with data.

trap-to-host

Forward TCP syn packets with data to FortiOS.

tcp-winnuke

TCP WinNuke anomalies.

option

-

 

Option

Description

allow

Allow TCP packets winnuke attack to pass.

drop

Drop TCP packets winnuke attack.

trap-to-host

Forward TCP packets winnuke attack to FortiOS.

tcp-land

TCP land anomalies.

option

-

 

Option

Description

allow

Allow TCP land attack to pass.

drop

Drop TCP land attack.

trap-to-host

Forward TCP land attack to FortiOS.

udp-land

UDP land anomalies.

option

-

 

Option

Description

allow

Allow UDP land attack to pass.

drop

Drop UDP land attack.

trap-to-host

Forward UDP land attack to FortiOS.

icmp-land

ICMP land anomalies.

option

-

 

Option

Description

allow

Allow ICMP land attack to pass.

drop

Drop ICMP land attack.

trap-to-host

Forward ICMP land attack to FortiOS.

icmp-frag

Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.

option

-

 

Option

Description

allow

Allow L3 fragment packet with L4 protocol as ICMP attack to pass.

drop

Drop L3 fragment packet with L4 protocol as ICMP attack.

trap-to-host

Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.

ipv4-land

Land anomalies.

option

-

 

Option

Description

allow

Allow IPv4 land attack to pass.

drop

Drop IPv4 land attack.

trap-to-host

Forward IPv4 land attack to FortiOS.

ipv4-proto-err

Invalid layer 4 protocol anomalies.

option

-

 

Option

Description

allow

Allow IPv4 invalid L4 protocol to pass.

drop

Drop IPv4 invalid L4 protocol.

trap-to-host

Forward IPv4 invalid L4 protocol to FortiOS.

ipv4-unknopt

Unknown option anomalies.

option

-

 

Option

Description

allow

Allow IPv4 with unknown options to pass.

drop

Drop IPv4 with unknown options.

trap-to-host

Forward IPv4 with unknown options to FortiOS.

ipv4-optrr

Record route option anomalies.

option

-

 

Option

Description

allow

Allow IPv4 with record route option to pass.

drop

Drop IPv4 with record route option.

trap-to-host

Forward IPv4 with record route option to FortiOS.

ipv4-optssrr

Strict source record route option anomalies.

option

-

 

Option

Description

allow

Allow IPv4 with strict source record route option to pass.

drop

Drop IPv4 with strict source record route option.

trap-to-host

Forward IPv4 with strict source record route option to FortiOS.

ipv4-optlsrr

Loose source record route option anomalies.

option

-

 

Option

Description

allow

Allow IPv4 with loose source record route option to pass.

drop

Drop IPv4 with loose source record route option.

trap-to-host

Forward IPv4 with loose source record route option to FortiOS.

ipv4-optstream

Stream option anomalies.

option

-

 

Option

Description

allow

Allow IPv4 with stream option to pass.

drop

Drop IPv4 with stream option.

trap-to-host

Forward IPv4 with stream option to FortiOS.

ipv4-optsecurity

Security option anomalies.

option

-

 

Option

Description

allow

Allow IPv4 with security option to pass.

drop

Drop IPv4 with security option.

trap-to-host

Forward IPv4 with security option to FortiOS.

ipv4-opttimestamp

Timestamp option anomalies.

option

-

 

Option

Description

allow

Allow IPv4 with timestamp option to pass.

drop

Drop IPv4 with timestamp option.

trap-to-host

Forward IPv4 with timestamp option to FortiOS.

ipv4-csum-err

Invalid IPv4 IP checksum anomalies.

option

-

 

Option

Description

drop

Drop IPv4 invalid IP checksum.

trap-to-host

Forward IPv4 invalid IP checksum to main CPU for processing.

tcp-csum-err

Invalid IPv4 TCP checksum anomalies.

option

-

 

Option

Description

drop

Drop IPv4 invalid TCP checksum.

trap-to-host

Forward IPv4 invalid TCP checksum to main CPU for processing.

udp-csum-err

Invalid IPv4 UDP checksum anomalies.

option

-

 

Option

Description

drop

Drop IPv4 invalid UDP checksum.

trap-to-host

Forward IPv4 invalid UDP checksum to main CPU for processing.

icmp-csum-err

Invalid IPv4 ICMP checksum anomalies.

option

-

 

Option

Description

drop

Drop IPv4 invalid ICMP checksum.

trap-to-host

Forward IPv4 invalid ICMP checksum to main CPU for processing.

ipv6-land

Land anomalies.

option

-

 

Option

Description

allow

Allow IPv6 land attack to pass.

drop

Drop IPv6 land attack.

trap-to-host

Forward IPv6 land attack to FortiOS.

ipv6-proto-err

Layer 4 invalid protocol anomalies.

option

-

 

Option

Description

allow

Allow IPv6 L4 invalid protocol to pass.

drop

Drop IPv6 L4 invalid protocol.

trap-to-host

Forward IPv6 L4 invalid protocol to FortiOS.

ipv6-unknopt

Unknown option anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with unknown options to pass.

drop

Drop IPv6 with unknown options.

trap-to-host

Forward IPv6 with unknown options to FortiOS.

ipv6-saddr-err

Source address as multicast anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with source address as multicast to pass.

drop

Drop IPv6 with source address as multicast.

trap-to-host

Forward IPv6 with source address as multicast to FortiOS.

ipv6-daddr-err

Destination address as unspecified or loopback address anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with destination address as unspecified or loopback address to pass.

drop

Drop IPv6 with destination address as unspecified or loopback address.

trap-to-host

Forward IPv6 with destination address as unspecified or loopback address to FortiOS.

ipv6-optralert

Router alert option anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with router alert option to pass.

drop

Drop IPv6 with router alert option.

trap-to-host

Forward IPv6 with router alert option to FortiOS.

ipv6-optjumbo

Jumbo options anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with jumbo option to pass.

drop

Drop IPv6 with jumbo option.

trap-to-host

Forward IPv6 with jumbo option to FortiOS.

ipv6-opttunnel

Tunnel encapsulation limit option anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with tunnel encapsulation limit to pass.

drop

Drop IPv6 with tunnel encapsulation limit.

trap-to-host

Forward IPv6 with tunnel encapsulation limit to FortiOS.

ipv6-opthomeaddr

Home address option anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with home address option to pass.

drop

Drop IPv6 with home address option.

trap-to-host

Forward IPv6 with home address option to FortiOS.

ipv6-optnsap

Network service access point address option anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with network service access point address option to pass.

drop

Drop IPv6 with network service access point address option.

trap-to-host

Forward IPv6 with network service access point address option to FortiOS.

ipv6-optendpid

End point identification anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with end point identification option to pass.

drop

Drop IPv6 with end point identification option.

trap-to-host

Forward IPv6 with end point identification option to FortiOS.

ipv6-optinvld

Invalid option anomalies.Invalid option anomalies.

option

-

 

Option

Description

allow

Allow IPv6 with invalid option to pass.

drop

Drop IPv6 with invalid option.

trap-to-host

Forward IPv6 with invalid option to FortiOS.

config system np6

Configure NP6 attributes.

config system np6

Description: Configure NP6 attributes.

edit <name>

set fastpath [disable|enable]

set low-latency-mode [disable|enable]

set per-session-accounting [disable|traffic-log-only|...]

set garbage-session-collector [disable|enable]

set session-collector-interval {integer}

set session-timeout-interval {integer}

set session-timeout-random-range {integer}

set session-timeout-fixed [disable|enable]

config hpe

Description: HPE configuration.

set tcpsyn-max {integer}

set tcp-max {integer}

set udp-max {integer}

set icmp-max {integer}

set sctp-max {integer}

set esp-max {integer}

set ip-frag-max {integer}

set ip-others-max {integer}

set arp-max {integer}

set l2-others-max {integer}

set pri-type-max {integer}

set enable-shaper [disable|enable]

end

config fp-anomaly

Description: NP6 IPv4 anomaly protection. trap-to-host forwards anomaly sessions to the CPU.

set tcp-syn-fin [allow|drop|...]

set tcp-fin-noack [allow|drop|...]

set tcp-fin-only [allow|drop|...]

set tcp-no-flag [allow|drop|...]

set tcp-syn-data [allow|drop|...]

set tcp-winnuke [allow|drop|...]

set tcp-land [allow|drop|...]

set udp-land [allow|drop|...]

set icmp-land [allow|drop|...]

set icmp-frag [allow|drop|...]

set ipv4-land [allow|drop|...]

set ipv4-proto-err [allow|drop|...]

set ipv4-unknopt [allow|drop|...]

set ipv4-optrr [allow|drop|...]

set ipv4-optssrr [allow|drop|...]

set ipv4-optlsrr [allow|drop|...]

set ipv4-optstream [allow|drop|...]

set ipv4-optsecurity [allow|drop|...]

set ipv4-opttimestamp [allow|drop|...]

set ipv4-csum-err [drop|trap-to-host]

set tcp-csum-err [drop|trap-to-host]

set udp-csum-err [drop|trap-to-host]

set icmp-csum-err [drop|trap-to-host]

set ipv6-land [allow|drop|...]

set ipv6-proto-err [allow|drop|...]

set ipv6-unknopt [allow|drop|...]

set ipv6-saddr-err [allow|drop|...]

set ipv6-daddr-err [allow|drop|...]

set ipv6-optralert [allow|drop|...]

set ipv6-optjumbo [allow|drop|...]

set ipv6-opttunnel [allow|drop|...]

set ipv6-opthomeaddr [allow|drop|...]

set ipv6-optnsap [allow|drop|...]

set ipv6-optendpid [allow|drop|...]

set ipv6-optinvld [allow|drop|...]

end

next

end

config system np6

Parameter name

Description

Type

Size

fastpath

Enable/disable NP4 or NP6 offloading (also called fast path).

option

-

 

Option

Description

disable

Disable NP4 or NP6 offloading (fast path).

enable

Enable NP4 or NP6 offloading (fast path).

low-latency-mode

Enable/disable low latency mode.

option

-

 

Option

Description

disable

Disable low latency mode.

enable

Enable low latency mode.

per-session-accounting

Enable/disable per-session accounting.

option

-

 

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

garbage-session-collector

Enable/disable garbage session collector.

option

-

 

Option

Description

disable

Disable garbage session collector.

enable

Enable garbage session collector.

session-collector-interval

Set garbage session collection cleanup interval (1 - 100 sec, default 64).

integer

Minimum value: 1 Maximum value: 100

session-timeout-interval

Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec).

integer

Minimum value: 0 Maximum value: 1000

session-timeout-random-range

Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec).

integer

Minimum value: 0 Maximum value: 1000

session-timeout-fixed

{disable | enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.

option

-

 

Option

Description

disable

Disable Refresh NP6 sessions at the configured fixed interval.

enable

Enable Refresh NP6 sessions randomly where the time between refreshes is within the random range.

config hpe

Parameter name

Description

Type

Size

tcpsyn-max

Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

tcp-max

Maximum TCP packet rate (10K - 4G pps, default = 5M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

udp-max

Maximum UDP packet rate (10K - 4G pps, default = 5M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

icmp-max

Maximum ICMP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

sctp-max

Maximum SCTP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

esp-max

Maximum ESP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

ip-frag-max

Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

ip-others-max

Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

arp-max

Maximum ARP packet rate (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

l2-others-max

Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps).

integer

Minimum value: 10000 Maximum value: 4000000000

pri-type-max

Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD.

integer

Minimum value: 10000 Maximum value: 4000000000

enable-shaper

Enable/Disable NPU host protection engine (HPE) shaper.

option

-

 

Option

Description

disable

Disable NPU HPE shaping based on packet type.

enable

Enable NPU HPE shaping based on packet type.

config fp-anomaly

Parameter name

Description

Type

Size

tcp-syn-fin

TCP SYN flood SYN/FIN flag set anomalies.

option

-

 

Option

Description

allow

Allow TCP packets with syn_fin flag set to pass.

drop

Drop TCP packets with syn_fin flag set.

trap-to-host

Forward TCP packets with syn_fin flag set to FortiOS.

tcp-fin-noack