system : np6
 
np6
You can use the following command to configure a wide range of settings for the NP6 processors in your FortiGate unit. You can configure different settings for each NP6 processor.
Syntax
config system np6
edit <np6-processor-name>
set fastpath {disable | enable}
set low-latency-mode {disable | enable}
set session-timeout-random-range <range>
set garbage-session-collector {disable | enable}
set session-collector-interval <range>
set session-timeout-interval <range>
set session-timeout-random-range <range>
set session-timeout-fixed {disable | enable}
config fp-anomaly-v4
set icmp-frag {allow | drop | trap-to-host}
set icmp-land {allow | drop | trap-to-host}
set ipv4-land {allow | drop | trap-to-host}
set ipv4-optlsrr {allow | drop | trap-to-host}
set ipv4-optrr {allow | drop | trap-to-host}
set ipv4-optsecurity {allow | drop | trap-to-host}
set ipv4-optssrr {allow | drop | trap-to-host}
set ipv4-optstream {allow | drop | trap-to-host}
set ipv4-opttimestamp {allow | drop | trap-to-host}
set ipv4-proto-err {allow | drop | trap-to-host}
set ipv4-unknopt {allow | drop | trap-to-host}
set tcp-land {allow | drop | trap-to-host}
set tcp-syn-fin {allow | drop | trap-to-host}
set tcp-winnuke {allow | drop | trap-to-host}
set tcp_fin_noack {allow | drop | trap-to-host}
set tcp_fin_only {allow | drop | trap-to-host}
set tcp_no_flag {allow | drop | trap-to-host}
set tcp_syn_data {allow | drop | trap-to-host}
set udp-land {allow | drop | trap-to-host}
end
config fp-anomaly-v6
set ipv6-daddr_err {allow | drop | trap-to-host}
set ipv6-land {allow | drop | trap-to-host}
set ipv6-optendpid {allow | drop | trap-to-host}
set ipv6-opthomeaddr {allow | drop | trap-to-host}
set ipv6-optinvld {allow | drop | trap-to-host}
set ipv6-optjumbo {allow | drop | trap-to-host}
set ipv6-optnsap {allow | drop | trap-to-host}
set ipv6-optralert {allow | drop | trap-to-host}
set ipv6-opttunnel {allow | drop | trap-to-host}
set ipv6-proto-err {allow | drop | trap-to-host}
set ipv6-saddr_err {allow | drop | trap-to-host}
set ipv6-unknopt {allow | drop | trap-to-host}
end
Variable
Description
Default
fastpath {disable | enable}
Enable fastpath acceleration to offload sessions to the NP6 processor. You can disable fastpath if you don’t want the NP6 processor to offload sessions.
enable
low-latency-mode {disable | enable}
Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode.
disable
per-session-accounting {disable | enable}
Record traffic log messages for offloaded sessions. Enabling this feature reduces performance.
disable
garbage-session-collector {disable | enable}
Enable deleting expired or garbage sessions.
disable
session-collector-interval <range>
Set the expired or garbage session collector time interval in seconds. The range is 1 to 100 seconds.
8
session-timeout-interval <range>
Set the timeout for inactive sessions. The range is 0 to 1000 seconds.
40
session-timeout-random-range <range>
Set the random timeout for inactive sessions. The range is 0 to 1000 seconds.
8
session-timeout-fixed {disable | enable}
Force session timeouts at fixed, instead of random, intervals.
disable
config fp-anomaly-v4 options
fp-anomaly-v4
Configure how the NP6 processor does IPv4 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called “trap-to-host”). Selecting “trap-to-host” turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy.
 
icmp-frag {allow | drop | trap-to-host}
Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies.
allow
icmp-land {allow | drop | trap-to-host}
Detects ICMP land anomalies.f
trap-to-host
ipv4-land {allow | drop | trap-to-host}
Detects IPv4 land anomalies.
trap-to-host
ipv4-optlsrr {allow | drop | trap-to-host}
Detects IPv4 with loose source record route option anomalies.
trap-to-host
ipv4-optrr {allow | drop | trap-to-host}
Detects IPv4 with record route option anomalies.
trap-to-host
ipv4-optsecurity {allow | drop | trap-to-host}
Detects security option anomalies.
trap-to-host
ipv4-optssrr {allow | drop | trap-to-host}
Detects IPv4 with strict source record route option anomalies.
trap-to-host
ipv4-optstream {allow | drop | trap-to-host}
Detects stream option anomalies.
trap-to-host
ipv4-opttimestamp {allow | drop | trap-to-host}
Detects timestamp option anomalies.
trap-to-host
ipv4-proto-err {allow | drop | trap-to-host}
Detects invalid layer 4 protocol anomalies.
trap-to-host
ipv4-unknopt {allow | drop | trap-to-host}
Detects unknown option anomalies.
trap-to-host
tcp-land {allow | drop | trap-to-host}
Detects TCP land anomalies.
trap-to-host
tcp-syn-fin {allow | drop | trap-to-host}
Detects TCP SYN flood SYN/FIN flag set anomalies.
allow
tcp-winnuke {allow | drop | trap-to-host}
Detects TCP WinNuke anomalies.
trap-to-host
tcp_fin_noack {allow | drop | trap-to-host}
Detects TCP SYN flood with FIN flag set without ACK setting anomalies.
trap-to-host
tcp_fin_only {allow | drop | trap-to-host}
Detects TCP SYN flood with only FIN flag set anomalies.
trap-to-host
tcp_no_flag {allow | drop | trap-to-host}
Detects TCP SYN flood with no flag set anomalies.
allow
tcp_syn_data {allow | drop | trap-to-host}
Detects TCP SYN flood packets with data anomalies.
allow
udp-land {allow | drop | trap-to-host}
Detects UDP land anomalies.
trap-to-host
config fp-anomaly-v6 options
fp-anomaly-v6
Configure how the NP6 processor does IPv6 traffic anomaly protection. You can configure the NP6 processor to allow or drop the packets associated with an attack or forward the packets that are associated with the attack to FortiOS (called “trap-to-host”). Selecting “trap-to-host” turns off NP6 anomaly protection for that anomaly. If you require anomaly protection you can enable it with a DoS policy.
 
ipv6-daddr_err {allow | drop | trap-to-host}
Detects destination address as unspecified or loopback address anomalies.
trap-to-host
ipv6-land {allow | drop | trap-to-host}
Detects IPv6 land anomalies.
trap-to-host
ipv6-optendpid {allow | drop | trap-to-host}
Detects end point identification anomalies.
trap-to-host
ipv6-opthomeaddr {allow | drop | trap-to-host}
Detects home address option anomalies.
trap-to-host
ipv6-optinvld {allow | drop | trap-to-host}
Detects invalid option anomalies.
trap-to-host
ipv6-optjumbo {allow | drop | trap-to-host}
Detects jumbo options anomalies.
trap-to-host
ipv6-optnsap {allow | drop | trap-to-host}
Detects network service access point address option anomalies.
trap-to-host
ipv6-optralert {allow | drop | trap-to-host}
Detects router alert option anomalies.
trap-to-host
ipv6-opttunnel {allow | drop | trap-to-host}
Detects tunnel encapsulation limit option anomalies.
trap-to-host
ipv6-proto-err {allow | drop | trap-to-host}
Detects layer 4 invalid protocol anomalies.
trap-to-host
ipv6-saddr_err {allow | drop | trap-to-host}
Detects source address as multicast anomalies.
trap-to-host
ipv6-unknopt {allow | drop | trap-to-host}
Detects unknown option anomalies.
trap-to-host