Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

config fp-anomaly

config fp-anomaly

Use the following command to configure the NP7 traffic anomaly protection:

config system npu

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set sctp-csum-err {allow | drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

end

In most cases you can configure NP7 processors to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP7 anomaly protection for that anomaly.

If you select trap-to-host for an anomaly protection option, you can use a DoS policy to configure anomaly protection for that anomaly. If you set the policy-offload-level NPU setting to dos-offload, DoS policy anomaly protection is offloaded to the NP7 processors.

Command Description Default
tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes. trap-to-host
ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. The config system npu command includes a new htx-icmp-csum-chk option to block or allow NP7 processors to send ICMP packets with checksum errors to the CPU. See htx-icmp-csum-chk {drop | pass}. drop

sctp-csum-err {allow | drop | trap-to-host}

Detects SCTP checksum errors. NP7 processors normally drop SCTP packets with checksum errors. You can use this option to allow SCTP packets with checksum errors or send SCTP packets with checksum errors to the CPU.

drop

ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host

config fp-anomaly

config fp-anomaly

Use the following command to configure the NP7 traffic anomaly protection:

config system npu

config fp-anomaly

set tcp-syn-fin {allow | drop | trap-to-host}

set tcp-fin-noack {allow | drop | trap-to-host}

set tcp-fin-only {allow | drop | trap-to-host}

set tcp-no-flag {allow | drop | trap-to-host}

set tcp-syn-data {allow | drop | trap-to-host}

set tcp-winnuke {allow | drop | trap-to-host}

set tcp-land {allow | drop | trap-to-host}

set udp-land {allow | drop | trap-to-host}

set icmp-land {allow | drop | trap-to-host}

set icmp-frag {allow | drop | trap-to-host}

set ipv4-land {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host}

set ipv4-unknopt {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

set sctp-csum-err {allow | drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-proto-err {allow | drop | trap-to-host}

set ipv6-unknopt {allow | drop | trap-to-host}

set ipv6-saddr-err {allow | drop | trap-to-host}

set ipv6-daddr-err {allow | drop | trap-to-host}

set ipv6-optralert {allow | drop | trap-to-host}

set ipv6-optjumbo {allow | drop | trap-to-host}

set ipv6-opttunnel {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optnsap {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host}

end

In most cases you can configure NP7 processors to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP7 anomaly protection for that anomaly.

If you select trap-to-host for an anomaly protection option, you can use a DoS policy to configure anomaly protection for that anomaly. If you set the policy-offload-level NPU setting to dos-offload, DoS policy anomaly protection is offloaded to the NP7 processors.

Command Description Default
tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes. trap-to-host
ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. The config system npu command includes a new htx-icmp-csum-chk option to block or allow NP7 processors to send ICMP packets with checksum errors to the CPU. See htx-icmp-csum-chk {drop | pass}. drop

sctp-csum-err {allow | drop | trap-to-host}

Detects SCTP checksum errors. NP7 processors normally drop SCTP packets with checksum errors. You can use this option to allow SCTP packets with checksum errors or send SCTP packets with checksum errors to the CPU.

drop

ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host