system : sp
 
sp
Use this command to configure offloading traffic to a FortiASIC Security Processing (SP) Module. Fortinet security processing modules provide multi-gigabit throughput increases for intrusion prevention, firewall, and IP multicast applications. All models are based on the carrier-class Advanced Mezzanine Card™ (AMC) specification.
FortiGate units that support these modules offer a third action. Legitimate connections are allowed while an attack is blocked.
This command is only available on models with one or more AMC slots and a FortiASIC Security Processing Module installed. When VDOMs are enabled, this is a global command.
 
Syntax
config system sp
set name <string>
set ips-weight {less‑fw | balanced | all-ips}
set fp-disable {all | ips | ipsec | multicast | DoS | none}
set ipsec-inb-optimization {enable | disable}
set syn-proxy-client-timer <sec_int>
set syn-proxy-server-timer <sec_int>
end
Variable
Description
Default
name <string>
Maximum of 31 characters.
 
ips-weight {less‑fw | balanced | all-ips}
Select the weighting method for IPS sessions. Default is less-fw.
less-fw
balanced
all-ips
less-fw
fp-disable {all | ips | ipsec | multicast | DoS | none}
Select one or more types of traffic to exclude from file processing.
Security processing modules can accelerate different security features such as firewall, IPS, multicast, and DoS. By default the modules will accelerate all those types of traffic, but you can disable acceleration of one or more of those types of traffic with this command. Any one or more types of traffic listed will not be accelerated, and will be handled by the FortiOS system.
none
ipsec-inb-optimization {enable | disable}
Select to enable inbound IPsec optimization.
enable
syn-proxy-client-timer <sec_int>
Set the number of seconds for the client side timer for the three-way handshake. If the timer expires and the handshake is not complete, the connection is discarded. Range is 1 to 255. Default is 3.
For the tcp_syn_flood threshold, in addition to Block and Pass, you can choose to Proxy connect attempts when their volume exceeds the threshold value. When the tcp_syn_flood threshold action is set to Proxy, incomplete TCP connections are allowed as normal as long as the configured threshold is not exceeded. If the threshold is exceeded, the FortiGate unit will intercept incoming SYN packets with a hardware accelerated SYN proxy to determine whether the connection attempts are legitimate or a SYN flood attack.
3
syn-proxy-server-timer <sec_int>
Set the number of seconds for the server side timer for the three-way handshake. If the timer expires and the handshake is not complete, the connection is discarded. Range is 1 to 255. Default is 3.
3