Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system npu

Note

This command is available for reference model(s) FortiGate 140E-POE, FortiGate 501E, FortiGate 3000D, FortiWiFi 61F. It is not available for FortiGate VM64.

Configure NPU attributes.

config system npu

Description: Configure NPU attributes.

set iph-rsvd-re-cksum [enable|disable]

set per-session-accounting [disable|traffic-log-only|...]

config fp-anomaly

Description: NP6Lite anomaly protection (packet drop or send trap to host).

set ipv4-ver-err [drop|trap-to-host]

set ipv4-ihl-err [drop|trap-to-host]

set ipv4-len-err [drop|trap-to-host]

set ipv4-ttlzero-err [drop|trap-to-host]

set ipv4-csum-err [drop|trap-to-host]

set ipv4-opt-err [drop|trap-to-host]

set tcp-hlen-err [drop|trap-to-host]

set tcp-plen-err [drop|trap-to-host]

set tcp-csum-err [drop|trap-to-host]

set udp-plen-err [drop|trap-to-host]

set udp-hlen-err [drop|trap-to-host]

set udp-csum-err [drop|trap-to-host]

set udp-len-err [drop|trap-to-host]

set udplite-cover-err [drop|trap-to-host]

set udplite-csum-err [drop|trap-to-host]

set icmp-minlen-err [drop|trap-to-host]

set icmp-csum-err [drop|trap-to-host]

set esp-minlen-err [drop|trap-to-host]

set unknproto-minlen-err [drop|trap-to-host]

set ipv6-ver-err [drop|trap-to-host]

set ipv6-ihl-err [drop|trap-to-host]

set ipv6-plen-zero [drop|trap-to-host]

set ipv6-exthdr-order-err [drop|trap-to-host]

set ipv6-exthdr-len-err [drop|trap-to-host]

end

end

config system npu

Parameter

Description

Type

Size

Default

iph-rsvd-re-cksum *

Enable/disable IP checksum re-calculation for packets with iph.reserved bit set.

option

-

disable

 

Option

Description

enable

Enable IP checksum re-calculation for packets with iph.reserved bit set.

disable

Disable IP checksum re-calculation for packets with iph.reserved bit set.

per-session-accounting *

Enable/disable per-session accounting.

option

-

traffic-log-only

 

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

* This parameter may not exist in some models.

config fp-anomaly

Parameter

Description

Type

Size

Default

ipv4-ver-err

Invalid IPv4 header version anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid header version.

trap-to-host

Forward IPv4 invalid header version to main CPU for processing.

ipv4-ihl-err

Invalid IPv4 header length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid header length.

trap-to-host

Forward IPv4 invalid header length to main CPU for processing.

ipv4-len-err

Invalid IPv4 packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid packet length.

trap-to-host

Forward IPv4 invalid packet length to main CPU for processing.

ipv4-ttlzero-err

Invalid IPv4 TTL field zero anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TTL field zero.

trap-to-host

Forward IPv4 invalid TTL field zero to main CPU for processing.

ipv4-csum-err

Invalid IPv4 packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid L3 checksum.

trap-to-host

Forward IPv4 invalid L3 checksum to main CPU for processing.

ipv4-opt-err

Invalid IPv4 option parsing anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid option parsing.

trap-to-host

Forward IPv4 invalid option parsing to main CPU for processing.

tcp-hlen-err

Invalid IPv4 TCP header length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TCP packet header length.

trap-to-host

Forward IPv4 invalid TCP packet header length to main CPU for processing.

tcp-plen-err

Invalid IPv4 TCP packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TCP packet length.

trap-to-host

Forward IPv4 invalid TCP packet length to main CPU for processing.

tcp-csum-err

Invalid IPv4 TCP packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TCP packet checksum.

trap-to-host

Forward IPv4 invalid TCP packet checksum to main CPU for processing.

udp-plen-err

Invalid IPv4 UDP packet minimum length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP packet minimum length.

trap-to-host

Forward IPv4 invalid UDP packet minimum length to main CPU for processing.

udp-hlen-err

Invalid IPv4 UDP packet header length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP header length.

trap-to-host

Forward IPv4 invalid UDP header length to main CPU for processing.

udp-csum-err

Invalid IPv4 UDP packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP packet checksum.

trap-to-host

Forward IPv4 invalid UDP packet checksum to main CPU for processing.

udp-len-err

Invalid IPv4 UDP packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP packet length.

trap-to-host

Forward IPv4 invalid UDP packet length to main CPU for processing.

udplite-cover-err

Invalid IPv4 UDP-Lite packet coverage anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet coverage.

trap-to-host

Forward IPv4 invalid UDP-Lite packet coverage to main CPU for processing.

udplite-csum-err

Invalid IPv4 UDP-Lite packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet checksum.

trap-to-host

Forward IPv4 invalid UDP-Lite packet checksum to main CPU for processing.

icmp-minlen-err

Invalid IPv4 ICMP short packet anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid ICMP short packet.

trap-to-host

Forward IPv4 invalid ICMP short packet to main CPU for processing.

icmp-csum-err

Invalid IPv4 ICMP packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid ICMP checksum.

trap-to-host

Forward IPv4 invalid ICMP checksum to main CPU for processing.

esp-minlen-err

Invalid IPv4 ESP short packet anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid ESP short packet.

trap-to-host

Forward IPv4 invalid ESP short packet to main CPU for processing.

unknproto-minlen-err

Invalid IPv4 L4 unknown protocol short packet anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid L4 unknown protocol short packet.

trap-to-host

Forward IPv4 invalid L4 unknown protocol short packet to main CPU for processing.

ipv6-ver-err

Invalid IPv6 packet version anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet version.

trap-to-host

Forward IPv6 with invalid packet version to FortiOS.

ipv6-ihl-err

Invalid IPv6 packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet length.

trap-to-host

Forward IPv6 with invalid packet length to FortiOS.

ipv6-plen-zero

Invalid IPv6 packet payload length zero anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet payload length zero.

trap-to-host

Forward IPv6 with invalid packet payload length zero to FortiOS.

ipv6-exthdr-order-err

Invalid IPv6 packet extension header ordering anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet extension header ordering.

trap-to-host

Forward IPv6 with invalid packet extension header ordering to FortiOS.

ipv6-exthdr-len-err

Invalid IPv6 packet chain extension header total length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet chain extension header total length.

trap-to-host

Forward IPv6 with invalid packet chain extension header total length to FortiOS.

config system npu

Note

This command is available for reference model(s) FortiGate 140E-POE, FortiGate 501E, FortiGate 3000D, FortiWiFi 61F. It is not available for FortiGate VM64.

Configure NPU attributes.

config system npu

Description: Configure NPU attributes.

set iph-rsvd-re-cksum [enable|disable]

set per-session-accounting [disable|traffic-log-only|...]

config fp-anomaly

Description: NP6Lite anomaly protection (packet drop or send trap to host).

set ipv4-ver-err [drop|trap-to-host]

set ipv4-ihl-err [drop|trap-to-host]

set ipv4-len-err [drop|trap-to-host]

set ipv4-ttlzero-err [drop|trap-to-host]

set ipv4-csum-err [drop|trap-to-host]

set ipv4-opt-err [drop|trap-to-host]

set tcp-hlen-err [drop|trap-to-host]

set tcp-plen-err [drop|trap-to-host]

set tcp-csum-err [drop|trap-to-host]

set udp-plen-err [drop|trap-to-host]

set udp-hlen-err [drop|trap-to-host]

set udp-csum-err [drop|trap-to-host]

set udp-len-err [drop|trap-to-host]

set udplite-cover-err [drop|trap-to-host]

set udplite-csum-err [drop|trap-to-host]

set icmp-minlen-err [drop|trap-to-host]

set icmp-csum-err [drop|trap-to-host]

set esp-minlen-err [drop|trap-to-host]

set unknproto-minlen-err [drop|trap-to-host]

set ipv6-ver-err [drop|trap-to-host]

set ipv6-ihl-err [drop|trap-to-host]

set ipv6-plen-zero [drop|trap-to-host]

set ipv6-exthdr-order-err [drop|trap-to-host]

set ipv6-exthdr-len-err [drop|trap-to-host]

end

end

config system npu

Parameter

Description

Type

Size

Default

iph-rsvd-re-cksum *

Enable/disable IP checksum re-calculation for packets with iph.reserved bit set.

option

-

disable

 

Option

Description

enable

Enable IP checksum re-calculation for packets with iph.reserved bit set.

disable

Disable IP checksum re-calculation for packets with iph.reserved bit set.

per-session-accounting *

Enable/disable per-session accounting.

option

-

traffic-log-only

 

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

* This parameter may not exist in some models.

config fp-anomaly

Parameter

Description

Type

Size

Default

ipv4-ver-err

Invalid IPv4 header version anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid header version.

trap-to-host

Forward IPv4 invalid header version to main CPU for processing.

ipv4-ihl-err

Invalid IPv4 header length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid header length.

trap-to-host

Forward IPv4 invalid header length to main CPU for processing.

ipv4-len-err

Invalid IPv4 packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid packet length.

trap-to-host

Forward IPv4 invalid packet length to main CPU for processing.

ipv4-ttlzero-err

Invalid IPv4 TTL field zero anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TTL field zero.

trap-to-host

Forward IPv4 invalid TTL field zero to main CPU for processing.

ipv4-csum-err

Invalid IPv4 packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid L3 checksum.

trap-to-host

Forward IPv4 invalid L3 checksum to main CPU for processing.

ipv4-opt-err

Invalid IPv4 option parsing anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid option parsing.

trap-to-host

Forward IPv4 invalid option parsing to main CPU for processing.

tcp-hlen-err

Invalid IPv4 TCP header length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TCP packet header length.

trap-to-host

Forward IPv4 invalid TCP packet header length to main CPU for processing.

tcp-plen-err

Invalid IPv4 TCP packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TCP packet length.

trap-to-host

Forward IPv4 invalid TCP packet length to main CPU for processing.

tcp-csum-err

Invalid IPv4 TCP packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid TCP packet checksum.

trap-to-host

Forward IPv4 invalid TCP packet checksum to main CPU for processing.

udp-plen-err

Invalid IPv4 UDP packet minimum length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP packet minimum length.

trap-to-host

Forward IPv4 invalid UDP packet minimum length to main CPU for processing.

udp-hlen-err

Invalid IPv4 UDP packet header length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP header length.

trap-to-host

Forward IPv4 invalid UDP header length to main CPU for processing.

udp-csum-err

Invalid IPv4 UDP packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP packet checksum.

trap-to-host

Forward IPv4 invalid UDP packet checksum to main CPU for processing.

udp-len-err

Invalid IPv4 UDP packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP packet length.

trap-to-host

Forward IPv4 invalid UDP packet length to main CPU for processing.

udplite-cover-err

Invalid IPv4 UDP-Lite packet coverage anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet coverage.

trap-to-host

Forward IPv4 invalid UDP-Lite packet coverage to main CPU for processing.

udplite-csum-err

Invalid IPv4 UDP-Lite packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet checksum.

trap-to-host

Forward IPv4 invalid UDP-Lite packet checksum to main CPU for processing.

icmp-minlen-err

Invalid IPv4 ICMP short packet anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid ICMP short packet.

trap-to-host

Forward IPv4 invalid ICMP short packet to main CPU for processing.

icmp-csum-err

Invalid IPv4 ICMP packet checksum anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid ICMP checksum.

trap-to-host

Forward IPv4 invalid ICMP checksum to main CPU for processing.

esp-minlen-err

Invalid IPv4 ESP short packet anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid ESP short packet.

trap-to-host

Forward IPv4 invalid ESP short packet to main CPU for processing.

unknproto-minlen-err

Invalid IPv4 L4 unknown protocol short packet anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv4 invalid L4 unknown protocol short packet.

trap-to-host

Forward IPv4 invalid L4 unknown protocol short packet to main CPU for processing.

ipv6-ver-err

Invalid IPv6 packet version anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet version.

trap-to-host

Forward IPv6 with invalid packet version to FortiOS.

ipv6-ihl-err

Invalid IPv6 packet length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet length.

trap-to-host

Forward IPv6 with invalid packet length to FortiOS.

ipv6-plen-zero

Invalid IPv6 packet payload length zero anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet payload length zero.

trap-to-host

Forward IPv6 with invalid packet payload length zero to FortiOS.

ipv6-exthdr-order-err

Invalid IPv6 packet extension header ordering anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet extension header ordering.

trap-to-host

Forward IPv6 with invalid packet extension header ordering to FortiOS.

ipv6-exthdr-len-err

Invalid IPv6 packet chain extension header total length anomalies.

option

-

drop

 

Option

Description

drop

Drop IPv6 with invalid packet chain extension header total length.

trap-to-host

Forward IPv6 with invalid packet chain extension header total length to FortiOS.