Fortinet white logo
Fortinet white logo

CLI Reference

config system np6xlite

config system np6xlite

Note

This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 200F, FortiGate 201F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60F, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80F Bypass, FortiGate 80F DSL, FortiGate 80F-POE, FortiGate 80F, FortiGate 81F-POE, FortiGate 81F, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 80F 2R 3G4G DSL, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G DSL, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 1100E, FortiGate 1101E, FortiGate 120G, FortiGate 121G, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 81E-POE, FortiGate 81E, FortiGate 900D, FortiGate 900G, FortiGate 901G, FortiGate 90G, FortiGate 91E, FortiGate 91G, FortiGate VM for AWS, FortiGate VM for Azure, FortiGate VM64, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E.

Configure NP6XLITE attributes.

config system np6xlite
    Description: Configure NP6XLITE attributes.
    edit <name>
        set congestion-handling-mode [flow-control|head-of-line]
        set fastpath [disable|enable]
        config fp-anomaly
            Description: NP6XLITE IPv4 anomaly protection. The trap-to-host forwards anomaly sessions to the CPU.
            set icmp-csum-err [drop|trap-to-host]
            set icmp-frag [allow|drop|...]
            set icmp-land [allow|drop|...]
            set ipv4-csum-err [drop|trap-to-host]
            set ipv4-land [allow|drop|...]
            set ipv4-optlsrr [allow|drop|...]
            set ipv4-optrr [allow|drop|...]
            set ipv4-optsecurity [allow|drop|...]
            set ipv4-optssrr [allow|drop|...]
            set ipv4-optstream [allow|drop|...]
            set ipv4-opttimestamp [allow|drop|...]
            set ipv4-proto-err [allow|drop|...]
            set ipv4-unknopt [allow|drop|...]
            set ipv6-daddr-err [allow|drop|...]
            set ipv6-land [allow|drop|...]
            set ipv6-optendpid [allow|drop|...]
            set ipv6-opthomeaddr [allow|drop|...]
            set ipv6-optinvld [allow|drop|...]
            set ipv6-optjumbo [allow|drop|...]
            set ipv6-optnsap [allow|drop|...]
            set ipv6-optralert [allow|drop|...]
            set ipv6-opttunnel [allow|drop|...]
            set ipv6-proto-err [allow|drop|...]
            set ipv6-saddr-err [allow|drop|...]
            set ipv6-unknopt [allow|drop|...]
            set tcp-csum-err [drop|trap-to-host]
            set tcp-fin-noack [allow|drop|...]
            set tcp-fin-only [allow|drop|...]
            set tcp-land [allow|drop|...]
            set tcp-no-flag [allow|drop|...]
            set tcp-syn-data [allow|drop|...]
            set tcp-syn-fin [allow|drop|...]
            set tcp-winnuke [allow|drop|...]
            set udp-csum-err [drop|trap-to-host]
            set udp-land [allow|drop|...]
        end
        set garbage-session-collector [disable|enable]
        config hpe
            Description: HPE configuration.
            set arp-max {integer}
            set enable-shaper [disable|enable]
            set esp-max {integer}
            set icmp-max {integer}
            set ip-frag-max {integer}
            set ip-others-max {integer}
            set l2-others-max {integer}
            set pri-type-max {integer}
            set sctp-max {integer}
            set tcp-others-max {integer}
            set tcpfin-rst-max {integer}
            set tcpsyn-ack-max {integer}
            set tcpsyn-max {integer}
            set udp-max {integer}
        end
        set ipsec-inner-fragment [disable|enable]
        set ipsec-sts-timeout [1|2|...]
        set ipsec-throughput-msg-frequency [disable|32kb|...]
        set per-session-accounting [disable|traffic-log-only|...]
        set session-collector-interval {integer}
        set session-timeout-fixed [disable|enable]
        set session-timeout-interval {integer}
        set session-timeout-random-range {integer}
    next
end

config system np6xlite

Parameter

Description

Type

Size

Default

congestion-handling-mode *

Configure Marvell switch packet congestion handling.

option

-

head-of-line

Option

Description

flow-control

Pause peer sending additional traffic until congestion is resolved.

head-of-line

Drop excessive traffic until congestion is resolved.

fastpath

Enable/disable NP6XLITE offloading (also called fast path).

option

-

enable

Option

Description

disable

Disable NP6XLITE offloading (fast path).

enable

Enable NP6XLITE offloading (fast path).

garbage-session-collector

Enable/disable garbage session collector.

option

-

disable

Option

Description

disable

Disable garbage session collector.

enable

Enable garbage session collector.

ipsec-inner-fragment

Enable/disable NP6XLite IPsec fragmentation type: inner.

option

-

disable

Option

Description

disable

NP6XLite ipsec fragmentation type: outer.

enable

Enable NP6XLite ipsec fragmentation type: inner.

ipsec-sts-timeout

Set NP6XLite IPsec STS message timeout.

option

-

5

Option

Description

1

Set NP6Xlite STS message timeout to 1 sec (recommended for IPSec throughput GUI).

2

Set NP6Xlite STS message timeout to 2 sec.

3

Set NP6Xlite STS message timeout to 3 sec.

4

Set NP6Xlite STS message timeout to 4 sec.

5

Set NP6Xlite STS message timeout to 5 sec (default).

6

Set NP6Xlite STS message timeout to 6 sec.

7

Set NP6Xlite STS message timeout to 7 sec.

8

Set NP6Xlite STS message timeout to 8 sec.

9

Set NP6Xlite STS message timeout to 9 sec.

10

Set NP6Xlite STS message timeout to 10 sec.

ipsec-throughput-msg-frequency

Set NP6XLite IPsec throughput message frequency (0 = disable).

option

-

disable

Option

Description

disable

Disable NP6Xlite throughput update message.

32kb

Set NP6Xlite throughput update message frequency to 32KB.

64kb

Set NP6Xlite throughput update message frequency to 64KB.

128kb

Set NP6Xlite throughput update message frequency to 128KB.

256kb

Set NP6Xlite throughput update message frequency to 256KB.

512kb

Set NP6Xlite throughput update message frequency to 512KB.

1mb

Set NP6Xlite throughput update message frequency to 1MB.

2mb

Set NP6Xlite throughput update message frequency to 2MB.

4mb

Set NP6Xlite throughput update message frequency to 4MB.

8mb

Set NP6Xlite throughput update message frequency to 8MB.

16mb

Set NP6Xlite throughput update message frequency to 16MB.

32mb

Set NP6Xlite throughput update message frequency to 32MB.

64mb

Set NP6Xlite throughput update message frequency to 64MB.

128mb

Set NP6Xlite throughput update message frequency to 128MB.

256mb

Set NP6Xlite throughput update message frequency to 256MB.

512mb

Set NP6Xlite throughput update message frequency to 512MB.

1gb

Set NP6Xlite throughput update message frequency to 1GB.

name

Device Name.

string

Maximum length: 31

per-session-accounting

Enable/disable per-session accounting.

option

-

traffic-log-only

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

session-collector-interval

Set garbage session collection cleanup interval.

integer

Minimum value: 1 Maximum value: 100

64

session-timeout-fixed

Enable/disable fixed timeout interval mode.

option

-

disable

Option

Description

disable

Disable NPU session timeout at fixed interval.

enable

Enable NPU session timeout at fixed interval.

session-timeout-interval

Set session timeout interval.

integer

Minimum value: 0 Maximum value: 1000

40

session-timeout-random-range

Set the randomization range.

integer

Minimum value: 0 Maximum value: 1000

8

* This parameter may not exist in some models.

config fp-anomaly

Parameter

Description

Type

Size

Default

icmp-csum-err

Invalid IPv4 ICMP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid ICMP checksum.

trap-to-host

Forward IPv4 invalid ICMP checksum to main CPU for processing.

icmp-frag

Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.

option

-

allow

Option

Description

allow

Allow L3 fragment packet with L4 protocol as ICMP attack to pass.

drop

Drop L3 fragment packet with L4 protocol as ICMP attack.

trap-to-host

Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.

icmp-land

ICMP land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow ICMP land attack to pass.

drop

Drop ICMP land attack.

trap-to-host

Forward ICMP land attack to FortiOS.

ipv4-csum-err

Invalid IPv4 IP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid IP checksum.

trap-to-host

Forward IPv4 invalid IP checksum to main CPU for processing.

ipv4-land

Land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 land attack to pass.

drop

Drop IPv4 land attack.

trap-to-host

Forward IPv4 land attack to FortiOS.

ipv4-optlsrr

Loose source record route option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with loose source record route option to pass.

drop

Drop IPv4 with loose source record route option.

trap-to-host

Forward IPv4 with loose source record route option to FortiOS.

ipv4-optrr

Record route option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with record route option to pass.

drop

Drop IPv4 with record route option.

trap-to-host

Forward IPv4 with record route option to FortiOS.

ipv4-optsecurity

Security option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with security option to pass.

drop

Drop IPv4 with security option.

trap-to-host

Forward IPv4 with security option to FortiOS.

ipv4-optssrr

Strict source record route option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with strict source record route option to pass.

drop

Drop IPv4 with strict source record route option.

trap-to-host

Forward IPv4 with strict source record route option to FortiOS.

ipv4-optstream

Stream option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with stream option to pass.

drop

Drop IPv4 with stream option.

trap-to-host

Forward IPv4 with stream option to FortiOS.

ipv4-opttimestamp

Timestamp option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with timestamp option to pass.

drop

Drop IPv4 with timestamp option.

trap-to-host

Forward IPv4 with timestamp option to FortiOS.

ipv4-proto-err

Invalid layer 4 protocol anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 invalid L4 protocol to pass.

drop

Drop IPv4 invalid L4 protocol.

trap-to-host

Forward IPv4 invalid L4 protocol to FortiOS.

ipv4-unknopt

Unknown option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with unknown options to pass.

drop

Drop IPv4 with unknown options.

trap-to-host

Forward IPv4 with unknown options to FortiOS.

ipv6-daddr-err

Destination address as unspecified or loopback address anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with destination address as unspecified or loopback address to pass.

drop

Drop IPv6 with destination address as unspecified or loopback address.

trap-to-host

Forward IPv6 with destination address as unspecified or loopback address to FortiOS.

ipv6-land

Land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 land attack to pass.

drop

Drop IPv6 land attack.

trap-to-host

Forward IPv6 land attack to FortiOS.

ipv6-optendpid

End point identification anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with end point identification option to pass.

drop

Drop IPv6 with end point identification option.

trap-to-host

Forward IPv6 with end point identification option to FortiOS.

ipv6-opthomeaddr

Home address option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with home address option to pass.

drop

Drop IPv6 with home address option.

trap-to-host

Forward IPv6 with home address option to FortiOS.

ipv6-optinvld

Invalid option anomalies.Invalid option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with invalid option to pass.

drop

Drop IPv6 with invalid option.

trap-to-host

Forward IPv6 with invalid option to FortiOS.

ipv6-optjumbo

Jumbo options anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with jumbo option to pass.

drop

Drop IPv6 with jumbo option.

trap-to-host

Forward IPv6 with jumbo option to FortiOS.

ipv6-optnsap

Network service access point address option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with network service access point address option to pass.

drop

Drop IPv6 with network service access point address option.

trap-to-host

Forward IPv6 with network service access point address option to FortiOS.

ipv6-optralert

Router alert option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with router alert option to pass.

drop

Drop IPv6 with router alert option.

trap-to-host

Forward IPv6 with router alert option to FortiOS.

ipv6-opttunnel

Tunnel encapsulation limit option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with tunnel encapsulation limit to pass.

drop

Drop IPv6 with tunnel encapsulation limit.

trap-to-host

Forward IPv6 with tunnel encapsulation limit to FortiOS.

ipv6-proto-err

Layer 4 invalid protocol anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 L4 invalid protocol to pass.

drop

Drop IPv6 L4 invalid protocol.

trap-to-host

Forward IPv6 L4 invalid protocol to FortiOS.

ipv6-saddr-err

Source address as multicast anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with source address as multicast to pass.

drop

Drop IPv6 with source address as multicast.

trap-to-host

Forward IPv6 with source address as multicast to FortiOS.

ipv6-unknopt

Unknown option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with unknown options to pass.

drop

Drop IPv6 with unknown options.

trap-to-host

Forward IPv6 with unknown options to FortiOS.

tcp-csum-err

Invalid IPv4 TCP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid TCP checksum.

trap-to-host

Forward IPv4 invalid TCP checksum to main CPU for processing.

tcp-fin-noack

TCP SYN flood with FIN flag set without ACK setting anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP packets with FIN flag set without ack setting to pass.

drop

Drop TCP packets with FIN flag set without ack setting.

trap-to-host

Forward TCP packets with FIN flag set without ack setting to FortiOS.

tcp-fin-only

TCP SYN flood with only FIN flag set anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP packets with FIN flag set only to pass.

drop

Drop TCP packets with FIN flag set only.

trap-to-host

Forward TCP packets with FIN flag set only to FortiOS.

tcp-land

TCP land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP land attack to pass.

drop

Drop TCP land attack.

trap-to-host

Forward TCP land attack to FortiOS.

tcp-no-flag

TCP SYN flood with no flag set anomalies.

option

-

allow

Option

Description

allow

Allow TCP packets without flag set to pass.

drop

Drop TCP packets without flag set.

trap-to-host

Forward TCP packets without flag set to FortiOS.

tcp-syn-data

TCP SYN flood packets with data anomalies.

option

-

allow

Option

Description

allow

Allow TCP syn packets with data to pass.

drop

Drop TCP syn packets with data.

trap-to-host

Forward TCP syn packets with data to FortiOS.

tcp-syn-fin

TCP SYN flood SYN/FIN flag set anomalies.

option

-

allow

Option

Description

allow

Allow TCP packets with syn_fin flag set to pass.

drop

Drop TCP packets with syn_fin flag set.

trap-to-host

Forward TCP packets with syn_fin flag set to FortiOS.

tcp-winnuke

TCP WinNuke anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP packets winnuke attack to pass.

drop

Drop TCP packets winnuke attack.

trap-to-host

Forward TCP packets winnuke attack to FortiOS.

udp-csum-err

Invalid IPv4 UDP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid UDP checksum.

trap-to-host

Forward IPv4 invalid UDP checksum to main CPU for processing.

udp-land

UDP land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow UDP land attack to pass.

drop

Drop UDP land attack.

trap-to-host

Forward UDP land attack to FortiOS.

config hpe

Parameter

Description

Type

Size

Default

arp-max

Maximum ARP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

enable-shaper

Enable/Disable NPU host protection engine (HPE) shaper.

option

-

disable

Option

Description

disable

Disable NPU HPE shaping based on packet type.

enable

Enable NPU HPE shaping based on packet type.

esp-max

Maximum ESP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

icmp-max

Maximum ICMP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

ip-frag-max

Maximum fragmented IP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

ip-others-max

Maximum IP packet rate for other packets.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

l2-others-max

Maximum L2 packet rate for L2 packets that are not ARP packets.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

pri-type-max

Maximum overflow rate of priority type traffic. Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

sctp-max

Maximum SCTP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

tcp-others-max

Maximum TCP packet rate for TCP packets that match none of the 3 types above.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

tcpfin-rst-max

Maximum TCP carries FIN or RST flags packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

tcpsyn-ack-max

Maximum TCP carries SYN and ACK flags packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

tcpsyn-max

Maximum TCP SYN only packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

udp-max

Maximum UDP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

config system np6xlite

config system np6xlite

Note

This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 200F, FortiGate 201F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60F, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 80F Bypass, FortiGate 80F DSL, FortiGate 80F-POE, FortiGate 80F, FortiGate 81F-POE, FortiGate 81F, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 80F 2R 3G4G DSL, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G DSL, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 1100E, FortiGate 1101E, FortiGate 120G, FortiGate 121G, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 81E-POE, FortiGate 81E, FortiGate 900D, FortiGate 900G, FortiGate 901G, FortiGate 90G, FortiGate 91E, FortiGate 91G, FortiGate VM for AWS, FortiGate VM for Azure, FortiGate VM64, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E.

Configure NP6XLITE attributes.

config system np6xlite
    Description: Configure NP6XLITE attributes.
    edit <name>
        set congestion-handling-mode [flow-control|head-of-line]
        set fastpath [disable|enable]
        config fp-anomaly
            Description: NP6XLITE IPv4 anomaly protection. The trap-to-host forwards anomaly sessions to the CPU.
            set icmp-csum-err [drop|trap-to-host]
            set icmp-frag [allow|drop|...]
            set icmp-land [allow|drop|...]
            set ipv4-csum-err [drop|trap-to-host]
            set ipv4-land [allow|drop|...]
            set ipv4-optlsrr [allow|drop|...]
            set ipv4-optrr [allow|drop|...]
            set ipv4-optsecurity [allow|drop|...]
            set ipv4-optssrr [allow|drop|...]
            set ipv4-optstream [allow|drop|...]
            set ipv4-opttimestamp [allow|drop|...]
            set ipv4-proto-err [allow|drop|...]
            set ipv4-unknopt [allow|drop|...]
            set ipv6-daddr-err [allow|drop|...]
            set ipv6-land [allow|drop|...]
            set ipv6-optendpid [allow|drop|...]
            set ipv6-opthomeaddr [allow|drop|...]
            set ipv6-optinvld [allow|drop|...]
            set ipv6-optjumbo [allow|drop|...]
            set ipv6-optnsap [allow|drop|...]
            set ipv6-optralert [allow|drop|...]
            set ipv6-opttunnel [allow|drop|...]
            set ipv6-proto-err [allow|drop|...]
            set ipv6-saddr-err [allow|drop|...]
            set ipv6-unknopt [allow|drop|...]
            set tcp-csum-err [drop|trap-to-host]
            set tcp-fin-noack [allow|drop|...]
            set tcp-fin-only [allow|drop|...]
            set tcp-land [allow|drop|...]
            set tcp-no-flag [allow|drop|...]
            set tcp-syn-data [allow|drop|...]
            set tcp-syn-fin [allow|drop|...]
            set tcp-winnuke [allow|drop|...]
            set udp-csum-err [drop|trap-to-host]
            set udp-land [allow|drop|...]
        end
        set garbage-session-collector [disable|enable]
        config hpe
            Description: HPE configuration.
            set arp-max {integer}
            set enable-shaper [disable|enable]
            set esp-max {integer}
            set icmp-max {integer}
            set ip-frag-max {integer}
            set ip-others-max {integer}
            set l2-others-max {integer}
            set pri-type-max {integer}
            set sctp-max {integer}
            set tcp-others-max {integer}
            set tcpfin-rst-max {integer}
            set tcpsyn-ack-max {integer}
            set tcpsyn-max {integer}
            set udp-max {integer}
        end
        set ipsec-inner-fragment [disable|enable]
        set ipsec-sts-timeout [1|2|...]
        set ipsec-throughput-msg-frequency [disable|32kb|...]
        set per-session-accounting [disable|traffic-log-only|...]
        set session-collector-interval {integer}
        set session-timeout-fixed [disable|enable]
        set session-timeout-interval {integer}
        set session-timeout-random-range {integer}
    next
end

config system np6xlite

Parameter

Description

Type

Size

Default

congestion-handling-mode *

Configure Marvell switch packet congestion handling.

option

-

head-of-line

Option

Description

flow-control

Pause peer sending additional traffic until congestion is resolved.

head-of-line

Drop excessive traffic until congestion is resolved.

fastpath

Enable/disable NP6XLITE offloading (also called fast path).

option

-

enable

Option

Description

disable

Disable NP6XLITE offloading (fast path).

enable

Enable NP6XLITE offloading (fast path).

garbage-session-collector

Enable/disable garbage session collector.

option

-

disable

Option

Description

disable

Disable garbage session collector.

enable

Enable garbage session collector.

ipsec-inner-fragment

Enable/disable NP6XLite IPsec fragmentation type: inner.

option

-

disable

Option

Description

disable

NP6XLite ipsec fragmentation type: outer.

enable

Enable NP6XLite ipsec fragmentation type: inner.

ipsec-sts-timeout

Set NP6XLite IPsec STS message timeout.

option

-

5

Option

Description

1

Set NP6Xlite STS message timeout to 1 sec (recommended for IPSec throughput GUI).

2

Set NP6Xlite STS message timeout to 2 sec.

3

Set NP6Xlite STS message timeout to 3 sec.

4

Set NP6Xlite STS message timeout to 4 sec.

5

Set NP6Xlite STS message timeout to 5 sec (default).

6

Set NP6Xlite STS message timeout to 6 sec.

7

Set NP6Xlite STS message timeout to 7 sec.

8

Set NP6Xlite STS message timeout to 8 sec.

9

Set NP6Xlite STS message timeout to 9 sec.

10

Set NP6Xlite STS message timeout to 10 sec.

ipsec-throughput-msg-frequency

Set NP6XLite IPsec throughput message frequency (0 = disable).

option

-

disable

Option

Description

disable

Disable NP6Xlite throughput update message.

32kb

Set NP6Xlite throughput update message frequency to 32KB.

64kb

Set NP6Xlite throughput update message frequency to 64KB.

128kb

Set NP6Xlite throughput update message frequency to 128KB.

256kb

Set NP6Xlite throughput update message frequency to 256KB.

512kb

Set NP6Xlite throughput update message frequency to 512KB.

1mb

Set NP6Xlite throughput update message frequency to 1MB.

2mb

Set NP6Xlite throughput update message frequency to 2MB.

4mb

Set NP6Xlite throughput update message frequency to 4MB.

8mb

Set NP6Xlite throughput update message frequency to 8MB.

16mb

Set NP6Xlite throughput update message frequency to 16MB.

32mb

Set NP6Xlite throughput update message frequency to 32MB.

64mb

Set NP6Xlite throughput update message frequency to 64MB.

128mb

Set NP6Xlite throughput update message frequency to 128MB.

256mb

Set NP6Xlite throughput update message frequency to 256MB.

512mb

Set NP6Xlite throughput update message frequency to 512MB.

1gb

Set NP6Xlite throughput update message frequency to 1GB.

name

Device Name.

string

Maximum length: 31

per-session-accounting

Enable/disable per-session accounting.

option

-

traffic-log-only

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

session-collector-interval

Set garbage session collection cleanup interval.

integer

Minimum value: 1 Maximum value: 100

64

session-timeout-fixed

Enable/disable fixed timeout interval mode.

option

-

disable

Option

Description

disable

Disable NPU session timeout at fixed interval.

enable

Enable NPU session timeout at fixed interval.

session-timeout-interval

Set session timeout interval.

integer

Minimum value: 0 Maximum value: 1000

40

session-timeout-random-range

Set the randomization range.

integer

Minimum value: 0 Maximum value: 1000

8

* This parameter may not exist in some models.

config fp-anomaly

Parameter

Description

Type

Size

Default

icmp-csum-err

Invalid IPv4 ICMP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid ICMP checksum.

trap-to-host

Forward IPv4 invalid ICMP checksum to main CPU for processing.

icmp-frag

Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.

option

-

allow

Option

Description

allow

Allow L3 fragment packet with L4 protocol as ICMP attack to pass.

drop

Drop L3 fragment packet with L4 protocol as ICMP attack.

trap-to-host

Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.

icmp-land

ICMP land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow ICMP land attack to pass.

drop

Drop ICMP land attack.

trap-to-host

Forward ICMP land attack to FortiOS.

ipv4-csum-err

Invalid IPv4 IP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid IP checksum.

trap-to-host

Forward IPv4 invalid IP checksum to main CPU for processing.

ipv4-land

Land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 land attack to pass.

drop

Drop IPv4 land attack.

trap-to-host

Forward IPv4 land attack to FortiOS.

ipv4-optlsrr

Loose source record route option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with loose source record route option to pass.

drop

Drop IPv4 with loose source record route option.

trap-to-host

Forward IPv4 with loose source record route option to FortiOS.

ipv4-optrr

Record route option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with record route option to pass.

drop

Drop IPv4 with record route option.

trap-to-host

Forward IPv4 with record route option to FortiOS.

ipv4-optsecurity

Security option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with security option to pass.

drop

Drop IPv4 with security option.

trap-to-host

Forward IPv4 with security option to FortiOS.

ipv4-optssrr

Strict source record route option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with strict source record route option to pass.

drop

Drop IPv4 with strict source record route option.

trap-to-host

Forward IPv4 with strict source record route option to FortiOS.

ipv4-optstream

Stream option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with stream option to pass.

drop

Drop IPv4 with stream option.

trap-to-host

Forward IPv4 with stream option to FortiOS.

ipv4-opttimestamp

Timestamp option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with timestamp option to pass.

drop

Drop IPv4 with timestamp option.

trap-to-host

Forward IPv4 with timestamp option to FortiOS.

ipv4-proto-err

Invalid layer 4 protocol anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 invalid L4 protocol to pass.

drop

Drop IPv4 invalid L4 protocol.

trap-to-host

Forward IPv4 invalid L4 protocol to FortiOS.

ipv4-unknopt

Unknown option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv4 with unknown options to pass.

drop

Drop IPv4 with unknown options.

trap-to-host

Forward IPv4 with unknown options to FortiOS.

ipv6-daddr-err

Destination address as unspecified or loopback address anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with destination address as unspecified or loopback address to pass.

drop

Drop IPv6 with destination address as unspecified or loopback address.

trap-to-host

Forward IPv6 with destination address as unspecified or loopback address to FortiOS.

ipv6-land

Land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 land attack to pass.

drop

Drop IPv6 land attack.

trap-to-host

Forward IPv6 land attack to FortiOS.

ipv6-optendpid

End point identification anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with end point identification option to pass.

drop

Drop IPv6 with end point identification option.

trap-to-host

Forward IPv6 with end point identification option to FortiOS.

ipv6-opthomeaddr

Home address option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with home address option to pass.

drop

Drop IPv6 with home address option.

trap-to-host

Forward IPv6 with home address option to FortiOS.

ipv6-optinvld

Invalid option anomalies.Invalid option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with invalid option to pass.

drop

Drop IPv6 with invalid option.

trap-to-host

Forward IPv6 with invalid option to FortiOS.

ipv6-optjumbo

Jumbo options anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with jumbo option to pass.

drop

Drop IPv6 with jumbo option.

trap-to-host

Forward IPv6 with jumbo option to FortiOS.

ipv6-optnsap

Network service access point address option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with network service access point address option to pass.

drop

Drop IPv6 with network service access point address option.

trap-to-host

Forward IPv6 with network service access point address option to FortiOS.

ipv6-optralert

Router alert option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with router alert option to pass.

drop

Drop IPv6 with router alert option.

trap-to-host

Forward IPv6 with router alert option to FortiOS.

ipv6-opttunnel

Tunnel encapsulation limit option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with tunnel encapsulation limit to pass.

drop

Drop IPv6 with tunnel encapsulation limit.

trap-to-host

Forward IPv6 with tunnel encapsulation limit to FortiOS.

ipv6-proto-err

Layer 4 invalid protocol anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 L4 invalid protocol to pass.

drop

Drop IPv6 L4 invalid protocol.

trap-to-host

Forward IPv6 L4 invalid protocol to FortiOS.

ipv6-saddr-err

Source address as multicast anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with source address as multicast to pass.

drop

Drop IPv6 with source address as multicast.

trap-to-host

Forward IPv6 with source address as multicast to FortiOS.

ipv6-unknopt

Unknown option anomalies.

option

-

trap-to-host

Option

Description

allow

Allow IPv6 with unknown options to pass.

drop

Drop IPv6 with unknown options.

trap-to-host

Forward IPv6 with unknown options to FortiOS.

tcp-csum-err

Invalid IPv4 TCP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid TCP checksum.

trap-to-host

Forward IPv4 invalid TCP checksum to main CPU for processing.

tcp-fin-noack

TCP SYN flood with FIN flag set without ACK setting anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP packets with FIN flag set without ack setting to pass.

drop

Drop TCP packets with FIN flag set without ack setting.

trap-to-host

Forward TCP packets with FIN flag set without ack setting to FortiOS.

tcp-fin-only

TCP SYN flood with only FIN flag set anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP packets with FIN flag set only to pass.

drop

Drop TCP packets with FIN flag set only.

trap-to-host

Forward TCP packets with FIN flag set only to FortiOS.

tcp-land

TCP land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP land attack to pass.

drop

Drop TCP land attack.

trap-to-host

Forward TCP land attack to FortiOS.

tcp-no-flag

TCP SYN flood with no flag set anomalies.

option

-

allow

Option

Description

allow

Allow TCP packets without flag set to pass.

drop

Drop TCP packets without flag set.

trap-to-host

Forward TCP packets without flag set to FortiOS.

tcp-syn-data

TCP SYN flood packets with data anomalies.

option

-

allow

Option

Description

allow

Allow TCP syn packets with data to pass.

drop

Drop TCP syn packets with data.

trap-to-host

Forward TCP syn packets with data to FortiOS.

tcp-syn-fin

TCP SYN flood SYN/FIN flag set anomalies.

option

-

allow

Option

Description

allow

Allow TCP packets with syn_fin flag set to pass.

drop

Drop TCP packets with syn_fin flag set.

trap-to-host

Forward TCP packets with syn_fin flag set to FortiOS.

tcp-winnuke

TCP WinNuke anomalies.

option

-

trap-to-host

Option

Description

allow

Allow TCP packets winnuke attack to pass.

drop

Drop TCP packets winnuke attack.

trap-to-host

Forward TCP packets winnuke attack to FortiOS.

udp-csum-err

Invalid IPv4 UDP checksum anomalies.

option

-

drop

Option

Description

drop

Drop IPv4 invalid UDP checksum.

trap-to-host

Forward IPv4 invalid UDP checksum to main CPU for processing.

udp-land

UDP land anomalies.

option

-

trap-to-host

Option

Description

allow

Allow UDP land attack to pass.

drop

Drop UDP land attack.

trap-to-host

Forward UDP land attack to FortiOS.

config hpe

Parameter

Description

Type

Size

Default

arp-max

Maximum ARP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

enable-shaper

Enable/Disable NPU host protection engine (HPE) shaper.

option

-

disable

Option

Description

disable

Disable NPU HPE shaping based on packet type.

enable

Enable NPU HPE shaping based on packet type.

esp-max

Maximum ESP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

icmp-max

Maximum ICMP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

ip-frag-max

Maximum fragmented IP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

ip-others-max

Maximum IP packet rate for other packets.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

l2-others-max

Maximum L2 packet rate for L2 packets that are not ARP packets.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

pri-type-max

Maximum overflow rate of priority type traffic. Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

sctp-max

Maximum SCTP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

200000

tcp-others-max

Maximum TCP packet rate for TCP packets that match none of the 3 types above.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

tcpfin-rst-max

Maximum TCP carries FIN or RST flags packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

tcpsyn-ack-max

Maximum TCP carries SYN and ACK flags packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

tcpsyn-max

Maximum TCP SYN only packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000

udp-max

Maximum UDP packet rate.

integer

Minimum value: 1000 Maximum value: 1000000000

600000