Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 7.4.2 Hardware Acceleration
    7.4.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    config fp-anomaly

    config fp-anomaly

    Use the following command to configure the NP7 traffic anomaly protection:

    config system npu

    config fp-anomaly

    set tcp-syn-fin {allow | drop | trap-to-host}

    set tcp-fin-noack {allow | drop | trap-to-host}

    set tcp-fin-only {allow | drop | trap-to-host}

    set tcp-no-flag {allow | drop | trap-to-host}

    set tcp-syn-data {allow | drop | trap-to-host}

    set tcp-winnuke {allow | drop | trap-to-host}

    set tcp-land {allow | drop | trap-to-host}

    set udp-land {allow | drop | trap-to-host}

    set icmp-land {allow | drop | trap-to-host}

    set icmp-frag {allow | drop | trap-to-host}

    set ipv4-land {allow | drop | trap-to-host}

    set ipv4-proto-err {allow | drop | trap-to-host}

    set ipv4-unknopt {allow | drop | trap-to-host}

    set ipv4-optrr {allow | drop | trap-to-host}

    set ipv4-optssrr {allow | drop | trap-to-host}

    set ipv4-optlsrr {allow | drop | trap-to-host}

    set ipv4-optstream {allow | drop | trap-to-host}

    set ipv4-optsecurity {allow | drop | trap-to-host}

    set ipv4-opttimestamp {allow | drop | trap-to-host}

    set ipv4-csum-err {drop | trap-to-host}

    set tcp-csum-err {drop | trap-to-host}

    set udp-csum-err {drop | trap-to-host}

    set icmp-csum-err {drop | trap-to-host}

    set ipv6-land {allow | drop | trap-to-host}

    set ipv6-proto-err {allow | drop | trap-to-host}

    set ipv6-unknopt {allow | drop | trap-to-host}

    set ipv6-saddr-err {allow | drop | trap-to-host}

    set ipv6-daddr-err {allow | drop | trap-to-host}

    set ipv6-optralert {allow | drop | trap-to-host}

    set ipv6-optjumbo {allow | drop | trap-to-host}

    set ipv6-opttunnel {allow | drop | trap-to-host}

    set ipv6-opthomeaddr {allow | drop | trap-to-host}

    set ipv6-optnsap {allow | drop | trap-to-host}

    set ipv6-optendpid {allow | drop | trap-to-host}

    set ipv6-optinvld {allow | drop | trap-to-host}

    end

    In most cases you can configure the NP7 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP7 anomaly protection for that anomaly.

    If you select trap-to-host for an anomaly protection option, you can use a DoS policy to configure anomaly protection for that anomaly. If you set the policy-offload-level NPU setting to dos-offload, DoS policy anomaly protection is offloaded to the NP7.

    Command Description Default
    tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
    tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
    tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
    tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
    tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
    tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
    tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
    udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
    icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
    icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
    ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
    ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes. trap-to-host
    ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
    ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
    ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
    ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
    ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
    ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
    ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
    tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
    udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
    icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. T he config system npu command includes a new htx-icmp-csum-chk option to block or allow NP7 processors to send ICMP packets with checksum errors to the CPU. See htx-icmp-csum-chk { drop | pass}. drop
    ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
    ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
    ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
    ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
    ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
    ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
    ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
    ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
    ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
    ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host
    Previous
    Next

    config fp-anomaly

    config fp-anomaly

    Use the following command to configure the NP7 traffic anomaly protection:

    config system npu

    config fp-anomaly

    set tcp-syn-fin {allow | drop | trap-to-host}

    set tcp-fin-noack {allow | drop | trap-to-host}

    set tcp-fin-only {allow | drop | trap-to-host}

    set tcp-no-flag {allow | drop | trap-to-host}

    set tcp-syn-data {allow | drop | trap-to-host}

    set tcp-winnuke {allow | drop | trap-to-host}

    set tcp-land {allow | drop | trap-to-host}

    set udp-land {allow | drop | trap-to-host}

    set icmp-land {allow | drop | trap-to-host}

    set icmp-frag {allow | drop | trap-to-host}

    set ipv4-land {allow | drop | trap-to-host}

    set ipv4-proto-err {allow | drop | trap-to-host}

    set ipv4-unknopt {allow | drop | trap-to-host}

    set ipv4-optrr {allow | drop | trap-to-host}

    set ipv4-optssrr {allow | drop | trap-to-host}

    set ipv4-optlsrr {allow | drop | trap-to-host}

    set ipv4-optstream {allow | drop | trap-to-host}

    set ipv4-optsecurity {allow | drop | trap-to-host}

    set ipv4-opttimestamp {allow | drop | trap-to-host}

    set ipv4-csum-err {drop | trap-to-host}

    set tcp-csum-err {drop | trap-to-host}

    set udp-csum-err {drop | trap-to-host}

    set icmp-csum-err {drop | trap-to-host}

    set ipv6-land {allow | drop | trap-to-host}

    set ipv6-proto-err {allow | drop | trap-to-host}

    set ipv6-unknopt {allow | drop | trap-to-host}

    set ipv6-saddr-err {allow | drop | trap-to-host}

    set ipv6-daddr-err {allow | drop | trap-to-host}

    set ipv6-optralert {allow | drop | trap-to-host}

    set ipv6-optjumbo {allow | drop | trap-to-host}

    set ipv6-opttunnel {allow | drop | trap-to-host}

    set ipv6-opthomeaddr {allow | drop | trap-to-host}

    set ipv6-optnsap {allow | drop | trap-to-host}

    set ipv6-optendpid {allow | drop | trap-to-host}

    set ipv6-optinvld {allow | drop | trap-to-host}

    end

    In most cases you can configure the NP7 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called trap-to-host). Selecting trap-to-host turns off NP7 anomaly protection for that anomaly.

    If you select trap-to-host for an anomaly protection option, you can use a DoS policy to configure anomaly protection for that anomaly. If you set the policy-offload-level NPU setting to dos-offload, DoS policy anomaly protection is offloaded to the NP7.

    Command Description Default
    tcp-syn-fin {allow | drop | trap-to-host} Detects TCP SYN flood SYN/FIN flag set anomalies. allow
    tcp-fin-noack {allow | drop | trap-to-host} Detects TCP SYN flood with FIN flag set without ACK setting anomalies. trap-to-host
    tcp-fin-only {allow | drop | trap-to-host} Detects TCP SYN flood with only FIN flag set anomalies. trap-to-host
    tcp-no-flag {allow | drop | trap-to-host} Detects TCP SYN flood with no flag set anomalies. allow
    tcp-syn-data {allow | drop | trap-to-host} Detects TCP SYN flood packets with data anomalies. allow
    tcp-winnuke {allow | drop | trap-to-host} Detects TCP WinNuke anomalies. trap-to-host
    tcp-land {allow | drop | trap-to-host} Detects TCP land anomalies. trap-to-host
    udp-land {allow | drop | trap-to-host} Detects UDP land anomalies. trap-to-host
    icmp-land {allow | drop | trap-to-host} Detects ICMP land anomalies. trap-to-host
    icmp-frag {allow | drop | trap-to-host} Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies. allow
    ipv4-land {allow | drop | trap-to-host} Detects IPv4 land anomalies. trap-to-host
    ipv4-proto-err {allow | drop | trap-to-host} Detects invalid layer 4 protocol anomalies. For information about the error codes that are produced by setting this option to drop, see NP6 anomaly error codes. trap-to-host
    ipv4-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv4-optrr {allow | drop | trap-to-host} Detects IPv4 with record route option anomalies. trap-to-host
    ipv4-optssrr {allow | drop | trap-to-host} Detects IPv4 with strict source record route option anomalies. trap-to-host
    ipv4-optlsrr {allow | drop | trap-to-host} Detects IPv4 with loose source record route option anomalies. trap-to-host
    ipv4-optstream {allow | drop | trap-to-host} Detects stream option anomalies. trap-to-host
    ipv4-optsecurity {allow | drop | trap-to-host} Detects security option anomalies. trap-to-host
    ipv4-opttimestamp {allow | drop | trap-to-host} Detects timestamp option anomalies. trap-to-host
    ipv4-csum-err {drop | trap-to-host} Detects IPv4 checksum errors. drop
    tcp-csum-err {drop | trap-to-host} Detects TCP checksum errors. drop
    udp-csum-err {drop | trap-to-host} Detects UDP checksum errors. drop
    icmp-csum-err {drop | trap-to-host} Detects ICMP checksum errors. T he config system npu command includes a new htx-icmp-csum-chk option to block or allow NP7 processors to send ICMP packets with checksum errors to the CPU. See htx-icmp-csum-chk { drop | pass}. drop
    ipv6-land {allow | drop | trap-to-host} Detects IPv6 land anomalies trap-to-host
    ipv6-unknopt {allow | drop | trap-to-host} Detects unknown option anomalies. trap-to-host
    ipv6-saddr-err {allow | drop | trap-to-host} Detects source address as multicast anomalies. trap-to-host
    ipv6-daddr-err {allow | drop | trap-to-host} Detects destination address as unspecified or loopback address anomalies. trap-to-host
    ipv6-optralert {allow | drop | trap-to-host} Detects router alert option anomalies. trap-to-host
    ipv6-optjumbo {allow | drop | trap-to-host} Detects jumbo options anomalies. trap-to-host
    ipv6-opttunnel {allow | drop | trap-to-host} Detects tunnel encapsulation limit option anomalies. trap-to-host
    ipv6-opthomeaddr {allow | drop | trap-to-host} Detects home address option anomalies. trap-to-host
    ipv6-optnsap {allow | drop | trap-to-host} Detects network service access point address option anomalies. trap-to-host
    ipv6-optendpid {allow | drop | trap-to-host} Detects end point identification anomalies. trap-to-host
    ipv6-optinvld {allow | drop | trap-to-host} Detects invalid option anomalies. trap-to-host
    Previous
    Next