Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

Configuring individual NP6 processors

You can use the config system np6 command to configure a wide range of settings for each of the NP6 processors in your FortiGate unit including enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

For FortiGates with NP6XLite processors, the config system np6xlite command has similar options.

For FortiGates with NP6Lite processors, the config system np6lite command has similar options.

You can also enable and adjust Host Protection Engine (HPE) to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

config system {np6 | np6xlite | np6lite}

edit <np6-processor-name>

set low-latency-mode {disable | enable}

set per-session-accounting {all-enable | disable | traffic-log-only}

set session-timeout-random-range <range>

set garbage-session-collector {disable | enable}

set session-collector-interval <range>

set session-timeout-interval <range>

set session-timeout-random-range <range>

set session-timeout-fixed {disable | enable}

config hpe

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

end

Command syntax
Command Description Default
low-latency-mode {disable | enable} Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode, currently only np6_0 and np6_1 on the FortiGate 3700D and DX. disable
per-session-accounting {all-enable | disable | traffic-log-only} Disable NP6 per-session accounting or enable it and control how it works. If set to traffic-log-only (the default) NP6 per-session accounting is only enabled if firewall policies accepting offloaded traffic have traffic logging enabled. If set to all-enable, NP6 per-session accounting is always enabled for all traffic offloaded by the NP6 processor.

Enabling per-session accounting can affect performance.
traffic-log-only
garbage-session-collector {disable | enable} Enable deleting expired or garbage sessions. disable
session-collector-interval <range> Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. 64
session-timeout-interval <range> Set the timeout for checking for and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 40
session-timeout-random-range <range> Set the random timeout for checking and removing inactive NP6 sessions. The range is 0 to 1000 seconds. For more information, see Configuring NP6 session timeouts. 8
session-timeout-fixed {disable | enable} Enable to force checking for and removing inactive NP6 sessions at the session-timeout-interval time interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. For more information, see Configuring NP6 session timeouts. disable

config hpe

See NP6 HPE host protection engine.

 

config fp-anomaly

fp-anomaly Configure how the NP6 processor performs traffic anomaly protection. In most cases you can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection but don't want to use the NP6 processor, you can select trap-to-host and enable anomaly protection with a DoS policy.
tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies.

For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

trap-to-host
ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host

Configuring individual NP6 processors

You can use the config system np6 command to configure a wide range of settings for each of the NP6 processors in your FortiGate unit including enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

For FortiGates with NP6XLite processors, the config system np6xlite command has similar options.

For FortiGates with NP6Lite processors, the config system np6lite command has similar options.

You can also enable and adjust Host Protection Engine (HPE) to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

config system {np6 | np6xlite | np6lite}

edit <np6-processor-name>

set low-latency-mode {disable | enable}

set per-session-accounting {all-enable | disable | traffic-log-only}

set session-timeout-random-range <range>

set garbage-session-collector {disable | enable}

set session-collector-interval <range>

set session-timeout-interval <range>

set session-timeout-random-range <range>

set session-timeout-fixed {disable | enable}

config hpe

set tcpsyn-max <packets-per-second>

set tcpsyn-ack-max <packets-per-second>

set tcpfin-rst-max <packets-per-second>

set tcp-max <packets-per-second>

set udp-max <packets-per-second>

set icmp-max <packets-per-second>

set sctp-max <packets-per-second>

set esp-max <packets-per-second>

set ip-frag-max <packets-per-second>

set ip-others-max <packets-per-second>

set arp-max <packets-per-second>

set l2-others-max <packets-per-second>

set pri-type-max <packets-per-second>

set enable-shaper {disable | enable}

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

end

Command syntax
Command Description Default
low-latency-mode {disable | enable} Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode, currently only np6_0 and np6_1 on the FortiGate 3700D and DX. disable
per-session-accounting {all-enable | disable | traffic-log-only} Disable NP6 per-session accounting or enable it and control how it works. If set to traffic-log-only (the default) NP6 per-session accounting is only enabled if firewall policies accepting offloaded traffic have traffic logging enabled. If set to all-enable, NP6 per-session accounting is always enabled for all traffic offloaded by the NP6 processor.

Enabling per-session accounting can affect performance.
traffic-log-only
garbage-session-collector {disable | enable} Enable deleting expired or garbage sessions. disable
session-collector-interval <range> Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. 64
session-timeout-interval <range> Set the timeout for checking for and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 40
session-timeout-random-range <range> Set the random timeout for checking and removing inactive NP6 sessions. The range is 0 to 1000 seconds. For more information, see Configuring NP6 session timeouts. 8
session-timeout-fixed {disable | enable} Enable to force checking for and removing inactive NP6 sessions at the session-timeout-interval time interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. For more information, see Configuring NP6 session timeouts. disable

config hpe

See NP6 HPE host protection engine.

 

config fp-anomaly

fp-anomaly Configure how the NP6 processor performs traffic anomaly protection. In most cases you can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection but don't want to use the NP6 processor, you can select trap-to-host and enable anomaly protection with a DoS policy.
tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies.

For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

trap-to-host
ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host