Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 7.4.2 Hardware Acceleration
    7.4.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    Configuring individual NP6 processors

    Configuring individual NP6 processors

    You can use the config system np6 command to configure a wide range of settings for each of the NP6 processors in your FortiGate unit including enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

    For FortiGates with NP6XLite processors, the config system np6xlite command has similar options.

    For FortiGates with NP6Lite processors, the config system np6lite command has similar options.

    You can also enable and adjust Host Protection Engine (HPE) to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

    The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

    config system {np6 | np6xlite | np6lite}

    edit <np6-processor-name>

    set low-latency-mode {disable | enable}

    set per-session-accounting {disable | enable | traffic-log-only}

    set session-timeout-random-range <range>

    set garbage-session-collector {disable | enable}

    set session-collector-interval <range>

    set session-timeout-interval <range>

    set session-timeout-random-range <range>

    set session-timeout-fixed {disable | enable}

    config hpe

    set tcpsyn-max <packets-per-second>

    set tcpsyn-ack-max <packets-per-second>

    set tcpfin-rst-max <packets-per-second>

    set tcp-max <packets-per-second>

    set udp-max <packets-per-second>

    set icmp-max <packets-per-second>

    set sctp-max <packets-per-second>

    set esp-max <packets-per-second>

    set ip-frag-max <packets-per-second>

    set ip-others-max <packets-per-second>

    set arp-max <packets-per-second>

    set l2-others-max <packets-per-second>

    set pri-type-max <packets-per-second>

    set enable-shaper {disable | enable}

    config fp-anomaly

    set tcp-syn-fin {allow | drop | trap-to-host}

    set tcp-fin-noack {allow | drop | trap-to-host}

    set tcp-fin-only {allow | drop | trap-to-host}

    set tcp-no-flag {allow | drop | trap-to-host}

    set tcp-syn-data {allow | drop | trap-to-host}

    set tcp-winnuke {allow | drop | trap-to-host}

    set tcp-land {allow | drop | trap-to-host}

    set udp-land {allow | drop | trap-to-host}

    set icmp-land {allow | drop | trap-to-host}

    set icmp-frag {allow | drop | trap-to-host}

    set ipv4-land {allow | drop | trap-to-host}

    set ipv4-proto-err {allow | drop | trap-to-host}

    set ipv4-unknopt {allow | drop | trap-to-host}

    set ipv4-optrr {allow | drop | trap-to-host}

    set ipv4-optssrr {allow | drop | trap-to-host}

    set ipv4-optlsrr {allow | drop | trap-to-host}

    set ipv4-optstream {allow | drop | trap-to-host}

    set ipv4-optsecurity {allow | drop | trap-to-host}

    set ipv4-opttimestamp {allow | drop | trap-to-host}

    set ipv4-csum-err {drop | trap-to-host}

    set tcp-csum-err {drop | trap-to-host}

    set udp-csum-err {drop | trap-to-host}

    set icmp-csum-err {drop | trap-to-host}

    set ipv6-land {allow | drop | trap-to-host}

    set ipv6-proto-err {allow | drop | trap-to-host}

    set ipv6-unknopt {allow | drop | trap-to-host}

    set ipv6-saddr-err {allow | drop | trap-to-host}

    set ipv6-daddr-err {allow | drop | trap-to-host}

    set ipv6-optralert {allow | drop | trap-to-host}

    set ipv6-optjumbo {allow | drop | trap-to-host}

    set ipv6-opttunnel {allow | drop | trap-to-host}

    set ipv6-opthomeaddr {allow | drop | trap-to-host}

    set ipv6-optnsap {allow | drop | trap-to-host}

    set ipv6-optendpid {allow | drop | trap-to-host}

    set ipv6-optinvld {allow | drop | trap-to-host}

    end

    Command syntax
    Command Description Default
    low-latency-mode {disable | enable} Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode, currently only np6_0 and np6_1 on the FortiGate 3700D and DX. disable
    per-session-accounting {disable | enable | traffic-log-only} Disable NP6 per-session accounting or enable it and control how it works. If set to traffic-log-only (the default) NP6 per-session accounting is only enabled if firewall policies accepting offloaded traffic have traffic logging enabled. If set to enable, NP6 per-session accounting is always enabled for all traffic offloaded by the NP6 processor.

    Enabling per-session accounting can affect performance.    		 traffic-log-only
    garbage-session-collector {disable | enable} Enable deleting expired or garbage sessions. disable
    session-collector-interval <range> Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. 64
    session-timeout-interval <range> Set the timeout for checking for and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 40
    session-timeout-random-range <range> Set the random timeout for checking and removing inactive NP6 sessions. The range is 0 to 1000 seconds. For more information, see Configuring NP6 session timeouts. 8
    session-timeout-fixed {disable | enable} Enable to force checking for and removing inactive NP6 sessions at the session-timeout-interval time interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. For more information, see Configuring NP6 session timeouts. disable

    config hpe

    See NP6 HPE host protection engine.

    config fp-anomaly

    fp-anomaly Configure how the NP6 processor performs traffic anomaly protection. In most cases you can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection but don't want to use the NP6 processor, you can select trap-to-host and enable anomaly protection with a DoS policy.
    tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
    tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
    tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
    tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
    tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
    tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
    tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
    udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
    icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
    icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
    ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
    ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies.

    For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

    		 trap-to-host
    ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
    ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
    ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
    ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
    ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
    ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
    ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
    tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
    udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
    icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
    ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
    ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
    ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
    ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
    ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
    ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
    ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
    ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
    ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
    ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host
    Previous
    Next

    Configuring individual NP6 processors

    Configuring individual NP6 processors

    You can use the config system np6 command to configure a wide range of settings for each of the NP6 processors in your FortiGate unit including enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic.

    For FortiGates with NP6XLite processors, the config system np6xlite command has similar options.

    For FortiGates with NP6Lite processors, the config system np6lite command has similar options.

    You can also enable and adjust Host Protection Engine (HPE) to protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks.

    The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

    config system {np6 | np6xlite | np6lite}

    edit <np6-processor-name>

    set low-latency-mode {disable | enable}

    set per-session-accounting {disable | enable | traffic-log-only}

    set session-timeout-random-range <range>

    set garbage-session-collector {disable | enable}

    set session-collector-interval <range>

    set session-timeout-interval <range>

    set session-timeout-random-range <range>

    set session-timeout-fixed {disable | enable}

    config hpe

    set tcpsyn-max <packets-per-second>

    set tcpsyn-ack-max <packets-per-second>

    set tcpfin-rst-max <packets-per-second>

    set tcp-max <packets-per-second>

    set udp-max <packets-per-second>

    set icmp-max <packets-per-second>

    set sctp-max <packets-per-second>

    set esp-max <packets-per-second>

    set ip-frag-max <packets-per-second>

    set ip-others-max <packets-per-second>

    set arp-max <packets-per-second>

    set l2-others-max <packets-per-second>

    set pri-type-max <packets-per-second>

    set enable-shaper {disable | enable}

    config fp-anomaly

    set tcp-syn-fin {allow | drop | trap-to-host}

    set tcp-fin-noack {allow | drop | trap-to-host}

    set tcp-fin-only {allow | drop | trap-to-host}

    set tcp-no-flag {allow | drop | trap-to-host}

    set tcp-syn-data {allow | drop | trap-to-host}

    set tcp-winnuke {allow | drop | trap-to-host}

    set tcp-land {allow | drop | trap-to-host}

    set udp-land {allow | drop | trap-to-host}

    set icmp-land {allow | drop | trap-to-host}

    set icmp-frag {allow | drop | trap-to-host}

    set ipv4-land {allow | drop | trap-to-host}

    set ipv4-proto-err {allow | drop | trap-to-host}

    set ipv4-unknopt {allow | drop | trap-to-host}

    set ipv4-optrr {allow | drop | trap-to-host}

    set ipv4-optssrr {allow | drop | trap-to-host}

    set ipv4-optlsrr {allow | drop | trap-to-host}

    set ipv4-optstream {allow | drop | trap-to-host}

    set ipv4-optsecurity {allow | drop | trap-to-host}

    set ipv4-opttimestamp {allow | drop | trap-to-host}

    set ipv4-csum-err {drop | trap-to-host}

    set tcp-csum-err {drop | trap-to-host}

    set udp-csum-err {drop | trap-to-host}

    set icmp-csum-err {drop | trap-to-host}

    set ipv6-land {allow | drop | trap-to-host}

    set ipv6-proto-err {allow | drop | trap-to-host}

    set ipv6-unknopt {allow | drop | trap-to-host}

    set ipv6-saddr-err {allow | drop | trap-to-host}

    set ipv6-daddr-err {allow | drop | trap-to-host}

    set ipv6-optralert {allow | drop | trap-to-host}

    set ipv6-optjumbo {allow | drop | trap-to-host}

    set ipv6-opttunnel {allow | drop | trap-to-host}

    set ipv6-opthomeaddr {allow | drop | trap-to-host}

    set ipv6-optnsap {allow | drop | trap-to-host}

    set ipv6-optendpid {allow | drop | trap-to-host}

    set ipv6-optinvld {allow | drop | trap-to-host}

    end

    Command syntax
    Command Description Default
    low-latency-mode {disable | enable} Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode, currently only np6_0 and np6_1 on the FortiGate 3700D and DX. disable
    per-session-accounting {disable | enable | traffic-log-only} Disable NP6 per-session accounting or enable it and control how it works. If set to traffic-log-only (the default) NP6 per-session accounting is only enabled if firewall policies accepting offloaded traffic have traffic logging enabled. If set to enable, NP6 per-session accounting is always enabled for all traffic offloaded by the NP6 processor.

    Enabling per-session accounting can affect performance.    		 traffic-log-only
    garbage-session-collector {disable | enable} Enable deleting expired or garbage sessions. disable
    session-collector-interval <range> Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds. 64
    session-timeout-interval <range> Set the timeout for checking for and removing inactive NP6 sessions. The range is 0 to 1000 seconds. 40
    session-timeout-random-range <range> Set the random timeout for checking and removing inactive NP6 sessions. The range is 0 to 1000 seconds. For more information, see Configuring NP6 session timeouts. 8
    session-timeout-fixed {disable | enable} Enable to force checking for and removing inactive NP6 sessions at the session-timeout-interval time interval. Set to disable (the default) to check for and remove inactive NP6 sessions at random time intervals. For more information, see Configuring NP6 session timeouts. disable

    config hpe

    See NP6 HPE host protection engine.

    config fp-anomaly

    fp-anomaly Configure how the NP6 processor performs traffic anomaly protection. In most cases you can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP6 anomaly protection for that anomaly. If you require anomaly protection but don't want to use the NP6 processor, you can select trap-to-host and enable anomaly protection with a DoS policy.
    tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
    tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
    tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
    tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
    tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
    tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
    tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
    udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
    icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
    icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
    ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
    ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies.

    For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes.

    		 trap-to-host
    ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
    ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
    ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
    ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
    ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
    ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
    ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
    tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
    udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
    icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. drop
    ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
    ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
    ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
    ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
    ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
    ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
    ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
    ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
    ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
    ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host
    Previous
    Next