Fortinet white logo
Fortinet white logo

CLI Reference

config system npu

config system npu

Note

This command is available for model(s): FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E, FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D, FortiGate 3810D, FortiGate 3815D, FortiGate 3960E, FortiGate 3980E, FortiGate 400D, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 5001D, FortiGate 5001E1, FortiGate 5001E, FortiGate 500D, FortiGate 500E, FortiGate 501E, FortiGate 600D, FortiGate 600E, FortiGate 601E, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 100D, FortiGate 140D-POE, FortiGate 140D, FortiGate 30E 3G4G GBL, FortiGate 30E 3G4G INTL, FortiGate 30E 3G4G NAM, FortiGate 30E, FortiGate 50E, FortiGate 51E, FortiGate 52E, FortiGate 90E, FortiGate 91E, FortiGate 92D, FortiGate VM64, FortiGateRugged 30D, FortiGateRugged 90D, FortiWiFi 30E 3G4G INTL, FortiWiFi 30E 3G4G NAM, FortiWiFi 30E, FortiWiFi 50E 2R, FortiWiFi 50E, FortiWiFi 51E.

Configure NPU attributes.

config system npu
    Description: Configure NPU attributes.
    set capwap-offload [enable|disable]
    set dedicated-management-cpu [enable|disable]
    set fastpath [disable|enable]
    config fp-anomaly
        Description: NP6Lite anomaly protection (packet drop or send trap to host).
        set ipv4-ver-err [drop|trap-to-host]
        set ipv4-ihl-err [drop|trap-to-host]
        set ipv4-len-err [drop|trap-to-host]
        set ipv4-ttlzero-err [drop|trap-to-host]
        set ipv4-csum-err [drop|trap-to-host]
        set ipv4-opt-err [drop|trap-to-host]
        set tcp-hlen-err [drop|trap-to-host]
        set tcp-plen-err [drop|trap-to-host]
        set tcp-csum-err [drop|trap-to-host]
        set udp-plen-err [drop|trap-to-host]
        set udp-hlen-err [drop|trap-to-host]
        set udp-csum-err [drop|trap-to-host]
        set udp-len-err [drop|trap-to-host]
        set udplite-cover-err [drop|trap-to-host]
        set udplite-csum-err [drop|trap-to-host]
        set icmp-minlen-err [drop|trap-to-host]
        set icmp-csum-err [drop|trap-to-host]
        set esp-minlen-err [drop|trap-to-host]
        set unknproto-minlen-err [drop|trap-to-host]
        set ipv6-ver-err [drop|trap-to-host]
        set ipv6-ihl-err [drop|trap-to-host]
        set ipv6-plen-zero [drop|trap-to-host]
        set ipv6-exthdr-order-err [drop|trap-to-host]
        set ipv6-exthdr-len-err [drop|trap-to-host]
    end
    set gtp-enhanced-cpu-range [0|1|...]
    set gtp-enhanced-mode [enable|disable]
    set host-shortcut-mode [bi-directional|host-shortcut]
    set htx-gtse-quota [100Mbps|200Mbps|...]
    set iph-rsvd-re-cksum [enable|disable]
    set ipsec-dec-subengine-mask {user}
    set ipsec-enc-subengine-mask {user}
    set ipsec-inbound-cache [enable|disable]
    set ipsec-mtu-override [disable|enable]
    set ipsec-over-vlink [enable|disable]
    config isf-np-queues
        Description: Configure queues of switch port connected to NP6 XAUI on ingress path.
        set cos0 {string}
        set cos1 {string}
        set cos2 {string}
        set cos3 {string}
        set cos4 {string}
        set cos5 {string}
        set cos6 {string}
        set cos7 {string}
    end
    set lag-out-port-select [disable|enable]
    set mcast-session-accounting [tpe-based|session-based|...]
    set np6-cps-optimization-mode [enable|disable]
    set per-session-accounting [disable|traffic-log-only|...]
    config port-cpu-map
        Description: Configure NPU interface to CPU core mapping.
        edit <interface>
            set cpu-core {string}
        next
    end
    config port-npu-map
        Description: Configure port to NPU group mapping.
        edit <interface>
            set npu-group-index {integer}
        next
    end
    config priority-protocol
        Description: Configure NPU priority protocol.
        set bgp [enable|disable]
        set slbc [enable|disable]
        set bfd [enable|disable]
    end
    set qos-mode [disable|priority|...]
    set rdp-offload [enable|disable]
    set recover-np6-link [enable|disable]
    set sse-backpressure [enable|disable]
    set strip-clear-text-padding [enable|disable]
    set strip-esp-padding [enable|disable]
    set sw-np-bandwidth [0G|2G|...]
    set switch-np-hash [src-ip|dst-ip|...]
    set uesp-offload [enable|disable]
end

config system npu

Parameter

Description

Type

Size

capwap-offload *

Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions.

option

-

Option

Description

enable

Enable CAPWAP offload.

disable

Disable CAPWAP offload.

dedicated-management-cpu *

Enable to dedicate one CPU for GUI and CLI connections when NPs are busy.

option

-

Option

Description

enable

Enable dedication of CPU #0 for management tasks.

disable

Disable dedication of CPU #0 for management tasks.

fastpath *

Enable/disable NP6 offloading (also called fast path).

option

-

Option

Description

disable

Disable NP6 offloading (fast path).

enable

Enable NP6 offloading (fast path).

gtp-enhanced-cpu-range *

GTP enhanced CPU range option.

option

-

Option

Description

0

Inspect GTPU packets by all CPUs.

1

Inspect GTPU packets by Master CPUs.

2

Inspect GTPU packets by Slave CPUs.

gtp-enhanced-mode *

Enable/disable GTP enhanced mode.

option

-

Option

Description

enable

Enable GTP enhanced mode.

disable

Disable GTP enhanced mode.

host-shortcut-mode *

Set np6 host shortcut mode.

option

-

Option

Description

bi-directional

Offload TCP and IP Tunnel sessions in both directions between 10G and 1G interfaces (normal operation).

host-shortcut

Only offload TCP and IP Tunnel sessions received by 1G interfaces. Select if packets are dropped for offloaded traffic between 10G to 1G interfaces.

htx-gtse-quota *

Configure HTX GTSE quota.

option

-

Option

Description

100Mbps

100Mbps.

200Mbps

200Mbps.

300Mbps

300Mbps.

400Mbps

400Mbps.

500Mbps

500Mbps.

600Mbps

600Mbps.

700Mbps

700Mbps.

800Mbps

800Mbps.

900Mbps

900Mbps.

1Gbps

1Gbps.

2Gbps

2Gbps.

4Gbps

4Gbps.

8Gbps

8Gbps.

10Gbps

10Gbps.

iph-rsvd-re-cksum *

Enable/disable IP checksum re-calculation for packets with iph.reserved bit set.

option

-

Option

Description

enable

Enable IP checksum re-calculation for packets with iph.reserved bit set.

disable

Disable IP checksum re-calculation for packets with iph.reserved bit set.

ipsec-dec-subengine-mask *

IPsec decryption subengine mask.

user

Not Specified

ipsec-enc-subengine-mask *

IPsec encryption subengine mask.

user

Not Specified

ipsec-inbound-cache *

Enable/disable IPsec inbound cache for anti-replay.

option

-

Option

Description

enable

Enable inbound cache always.

disable

Disable inbound cache when IPsec anti-replay is on.

ipsec-mtu-override *

Enable/disable NP6 IPsec MTU override.

option

-

Option

Description

disable

Disable NP6 IPsec MTU override.

enable

Enable NP6 IPsec MTU override.

ipsec-over-vlink *

Enable/disable IPSEC over vlink.

option

-

Option

Description

enable

Enable IPSEC over vlink.

disable

Disable IPSEC over vlink.

lag-out-port-select *

Enable/disable LAG outgoing port selection based on incoming traffic port.

option

-

Option

Description

disable

Disable LAG outgoing port selection based on incoming traffic port.

enable

Enable LAG outgoing port selection based on incoming traffic port.

mcast-session-accounting *

Enable/disable traffic accounting for each multicast session through TAE counter.

option

-

Option

Description

tpe-based

Enable TPE-based multicast session accounting.

session-based

Enable session-based multicast session accounting.

disable

Disable multicast session accounting.

np6-cps-optimization-mode *

Enable/disable NP6 connection per second (CPS) optimization mode.

option

-

Option

Description

enable

Enable NP6 connection per second (CPS) optimization mode.

disable

Disable NP6 connection per second (CPS) optimization mode.

per-session-accounting *

Enable/disable per-session accounting.

option

-

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

qos-mode *

QoS mode on switch and NP.

option

-

Option

Description

disable

Disable QoS on switch and NP.

priority

Priority based.

round-robin

Round Robin Scheduler.

rdp-offload *

Enable/disable rdp offload.

option

-

Option

Description

enable

Enable reliable datagram protocol traffic offload.

disable

Disable reliable datagram protocol traffic offload.

recover-np6-link *

Enable/disable internal link failure check and recovery after boot up.

option

-

Option

Description

enable

Enable internal link failure check and recovery after boot up.

disable

Disable internal link failure check and recovery after boot up.

sse-backpressure *

Enable/disable sse backpressure.

option

-

Option

Description

enable

Enable sse backpressureg.

disable

Disable sse backpressureg.

strip-clear-text-padding *

Enable/disable stripping clear text padding.

option

-

Option

Description

enable

Enable stripping clear text padding.

disable

Disable stripping clear text padding.

strip-esp-padding *

Enable/disable stripping ESP padding.

option

-

Option

Description

enable

Enable stripping ESP padding.

disable

Disable stripping ESP padding.

sw-np-bandwidth *

Bandwidth from switch to NP.

option

-

Option

Description

0G

Default value. No bandwidth control.

2G

2Gbps.

4G

4Gbps.

5G

5Gbps.

6G

6Gbps.

switch-np-hash *

Switch-NP trunk port selection Criteria.

option

-

Option

Description

src-ip

Source IP address.

dst-ip

Destination IP address.

src-dst-ip

Source+dest IP address.

uesp-offload *

Enable/disable UDP-encapsulated ESP offload.

option

-

Option

Description

enable

Enable UDP-encapsulated ESP traffic offload.

disable

Disable UDP-encapsulated ESP traffic offload.

* This parameter may not exist in some models.

config fp-anomaly

Parameter

Description

Type

Size

ipv4-ver-err

Invalid IPv4 header version anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid header version.

trap-to-host

Forward IPv4 invalid header version to main CPU for processing.

ipv4-ihl-err

Invalid IPv4 header length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid header length.

trap-to-host

Forward IPv4 invalid header length to main CPU for processing.

ipv4-len-err

Invalid IPv4 packet length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid packet length.

trap-to-host

Forward IPv4 invalid packet length to main CPU for processing.

ipv4-ttlzero-err

Invalid IPv4 TTL field zero anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TTL field zero.

trap-to-host

Forward IPv4 invalid TTL field zero to main CPU for processing.

ipv4-csum-err

Invalid IPv4 packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid L3 checksum.

trap-to-host

Forward IPv4 invalid L3 checksum to main CPU for processing.

ipv4-opt-err

Invalid IPv4 option parsing anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid option parsing.

trap-to-host

Forward IPv4 invalid option parsing to main CPU for processing.

tcp-hlen-err

Invalid IPv4 TCP header length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TCP packet header length.

trap-to-host

Forward IPv4 invalid TCP packet header length to main CPU for processing.

tcp-plen-err

Invalid IPv4 TCP packet length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TCP packet length.

trap-to-host

Forward IPv4 invalid TCP packet length to main CPU for processing.

tcp-csum-err

Invalid IPv4 TCP packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TCP packet checksum.

trap-to-host

Forward IPv4 invalid TCP packet checksum to main CPU for processing.

udp-plen-err

Invalid IPv4 UDP packet minimum length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP packet minimum length.

trap-to-host

Forward IPv4 invalid UDP packet minimum length to main CPU for processing.

udp-hlen-err

Invalid IPv4 UDP packet header length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP header length.

trap-to-host

Forward IPv4 invalid UDP header length to main CPU for processing.

udp-csum-err

Invalid IPv4 UDP packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP packet checksum.

trap-to-host

Forward IPv4 invalid UDP packet checksum to main CPU for processing.

udp-len-err

Invalid IPv4 UDP packet length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP packet length.

trap-to-host

Forward IPv4 invalid UDP packet length to main CPU for processing.

udplite-cover-err

Invalid IPv4 UDP-Lite packet coverage anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet coverage.

trap-to-host

Forward IPv4 invalid UDP-Lite packet coverage to main CPU for processing.

udplite-csum-err

Invalid IPv4 UDP-Lite packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet checksum.

trap-to-host

Forward IPv4 invalid UDP-Lite packet checksum to main CPU for processing.

icmp-minlen-err

Invalid IPv4 ICMP short packet anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid ICMP short packet.

trap-to-host

Forward IPv4 invalid ICMP short packet to main CPU for processing.

icmp-csum-err

Invalid IPv4 ICMP packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid ICMP checksum.

trap-to-host

Forward IPv4 invalid ICMP checksum to main CPU for processing.

esp-minlen-err

Invalid IPv4 ESP short packet anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid ESP short packet.

trap-to-host

Forward IPv4 invalid ESP short packet to main CPU for processing.

unknproto-minlen-err

Invalid IPv4 L4 unknown protocol short packet anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid L4 unknown protocol short packet.

trap-to-host

Forward IPv4 invalid L4 unknown protocol short packet to main CPU for processing.

ipv6-ver-err

Invalid IPv6 packet version anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet version.

trap-to-host

Forward IPv6 with invalid packet version to FortiOS.

ipv6-ihl-err

Invalid IPv6 packet length anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet length.

trap-to-host

Forward IPv6 with invalid packet length to FortiOS.

ipv6-plen-zero

Invalid IPv6 packet payload length zero anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet payload length zero.

trap-to-host

Forward IPv6 with invalid packet payload length zero to FortiOS.

ipv6-exthdr-order-err

Invalid IPv6 packet extension header ordering anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet extension header ordering.

trap-to-host

Forward IPv6 with invalid packet extension header ordering to FortiOS.

ipv6-exthdr-len-err

Invalid IPv6 packet chain extension header total length anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet chain extension header total length.

trap-to-host

Forward IPv6 with invalid packet chain extension header total length to FortiOS.

config isf-np-queues

Parameter

Description

Type

Size

cos0

CoS profile name for CoS 0.

string

Maximum length: 35

cos1

CoS profile name for CoS 1.

string

Maximum length: 35

cos2

CoS profile name for CoS 2.

string

Maximum length: 35

cos3

CoS profile name for CoS 3.

string

Maximum length: 35

cos4

CoS profile name for CoS 4.

string

Maximum length: 35

cos5

CoS profile name for CoS 5.

string

Maximum length: 35

cos6

CoS profile name for CoS 6.

string

Maximum length: 35

cos7

CoS profile name for CoS 7.

string

Maximum length: 35

config port-cpu-map

Parameter

Description

Type

Size

interface

The interface to map to a CPU core.

string

Maximum length: 15

cpu-core

The CPU core to map to an interface.

string

Maximum length: 31

config port-npu-map

Parameter

Description

Type

Size

interface

Set npu interface port to NPU group map.

string

Maximum length: 15

npu-group-index

Mapping NPU group index.

integer

Minimum value: 0 Maximum value: 4294967295

config priority-protocol

Parameter

Description

Type

Size

bgp

Enable/disable NPU BGP priority protocol.

option

-

Option

Description

enable

Enable NPU BGP priority protocol.

disable

Disable NPU BGP priority protocol.

slbc

Enable/disable NPU SLBC priority protocol.

option

-

Option

Description

enable

Enable NPU SLBC priority protocol.

disable

Disable NPU SLBC priority protocol.

bfd

Enable/disable NPU BFD priority protocol.

option

-

Option

Description

enable

Enable NPU BFD priority protocol.

disable

Disable NPU BFD priority protocol.

config system npu

config system npu

Note

This command is available for model(s): FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E, FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D, FortiGate 3810D, FortiGate 3815D, FortiGate 3960E, FortiGate 3980E, FortiGate 400D, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 5001D, FortiGate 5001E1, FortiGate 5001E, FortiGate 500D, FortiGate 500E, FortiGate 501E, FortiGate 600D, FortiGate 600E, FortiGate 601E, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 100D, FortiGate 140D-POE, FortiGate 140D, FortiGate 30E 3G4G GBL, FortiGate 30E 3G4G INTL, FortiGate 30E 3G4G NAM, FortiGate 30E, FortiGate 50E, FortiGate 51E, FortiGate 52E, FortiGate 90E, FortiGate 91E, FortiGate 92D, FortiGate VM64, FortiGateRugged 30D, FortiGateRugged 90D, FortiWiFi 30E 3G4G INTL, FortiWiFi 30E 3G4G NAM, FortiWiFi 30E, FortiWiFi 50E 2R, FortiWiFi 50E, FortiWiFi 51E.

Configure NPU attributes.

config system npu
    Description: Configure NPU attributes.
    set capwap-offload [enable|disable]
    set dedicated-management-cpu [enable|disable]
    set fastpath [disable|enable]
    config fp-anomaly
        Description: NP6Lite anomaly protection (packet drop or send trap to host).
        set ipv4-ver-err [drop|trap-to-host]
        set ipv4-ihl-err [drop|trap-to-host]
        set ipv4-len-err [drop|trap-to-host]
        set ipv4-ttlzero-err [drop|trap-to-host]
        set ipv4-csum-err [drop|trap-to-host]
        set ipv4-opt-err [drop|trap-to-host]
        set tcp-hlen-err [drop|trap-to-host]
        set tcp-plen-err [drop|trap-to-host]
        set tcp-csum-err [drop|trap-to-host]
        set udp-plen-err [drop|trap-to-host]
        set udp-hlen-err [drop|trap-to-host]
        set udp-csum-err [drop|trap-to-host]
        set udp-len-err [drop|trap-to-host]
        set udplite-cover-err [drop|trap-to-host]
        set udplite-csum-err [drop|trap-to-host]
        set icmp-minlen-err [drop|trap-to-host]
        set icmp-csum-err [drop|trap-to-host]
        set esp-minlen-err [drop|trap-to-host]
        set unknproto-minlen-err [drop|trap-to-host]
        set ipv6-ver-err [drop|trap-to-host]
        set ipv6-ihl-err [drop|trap-to-host]
        set ipv6-plen-zero [drop|trap-to-host]
        set ipv6-exthdr-order-err [drop|trap-to-host]
        set ipv6-exthdr-len-err [drop|trap-to-host]
    end
    set gtp-enhanced-cpu-range [0|1|...]
    set gtp-enhanced-mode [enable|disable]
    set host-shortcut-mode [bi-directional|host-shortcut]
    set htx-gtse-quota [100Mbps|200Mbps|...]
    set iph-rsvd-re-cksum [enable|disable]
    set ipsec-dec-subengine-mask {user}
    set ipsec-enc-subengine-mask {user}
    set ipsec-inbound-cache [enable|disable]
    set ipsec-mtu-override [disable|enable]
    set ipsec-over-vlink [enable|disable]
    config isf-np-queues
        Description: Configure queues of switch port connected to NP6 XAUI on ingress path.
        set cos0 {string}
        set cos1 {string}
        set cos2 {string}
        set cos3 {string}
        set cos4 {string}
        set cos5 {string}
        set cos6 {string}
        set cos7 {string}
    end
    set lag-out-port-select [disable|enable]
    set mcast-session-accounting [tpe-based|session-based|...]
    set np6-cps-optimization-mode [enable|disable]
    set per-session-accounting [disable|traffic-log-only|...]
    config port-cpu-map
        Description: Configure NPU interface to CPU core mapping.
        edit <interface>
            set cpu-core {string}
        next
    end
    config port-npu-map
        Description: Configure port to NPU group mapping.
        edit <interface>
            set npu-group-index {integer}
        next
    end
    config priority-protocol
        Description: Configure NPU priority protocol.
        set bgp [enable|disable]
        set slbc [enable|disable]
        set bfd [enable|disable]
    end
    set qos-mode [disable|priority|...]
    set rdp-offload [enable|disable]
    set recover-np6-link [enable|disable]
    set sse-backpressure [enable|disable]
    set strip-clear-text-padding [enable|disable]
    set strip-esp-padding [enable|disable]
    set sw-np-bandwidth [0G|2G|...]
    set switch-np-hash [src-ip|dst-ip|...]
    set uesp-offload [enable|disable]
end

config system npu

Parameter

Description

Type

Size

capwap-offload *

Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions.

option

-

Option

Description

enable

Enable CAPWAP offload.

disable

Disable CAPWAP offload.

dedicated-management-cpu *

Enable to dedicate one CPU for GUI and CLI connections when NPs are busy.

option

-

Option

Description

enable

Enable dedication of CPU #0 for management tasks.

disable

Disable dedication of CPU #0 for management tasks.

fastpath *

Enable/disable NP6 offloading (also called fast path).

option

-

Option

Description

disable

Disable NP6 offloading (fast path).

enable

Enable NP6 offloading (fast path).

gtp-enhanced-cpu-range *

GTP enhanced CPU range option.

option

-

Option

Description

0

Inspect GTPU packets by all CPUs.

1

Inspect GTPU packets by Master CPUs.

2

Inspect GTPU packets by Slave CPUs.

gtp-enhanced-mode *

Enable/disable GTP enhanced mode.

option

-

Option

Description

enable

Enable GTP enhanced mode.

disable

Disable GTP enhanced mode.

host-shortcut-mode *

Set np6 host shortcut mode.

option

-

Option

Description

bi-directional

Offload TCP and IP Tunnel sessions in both directions between 10G and 1G interfaces (normal operation).

host-shortcut

Only offload TCP and IP Tunnel sessions received by 1G interfaces. Select if packets are dropped for offloaded traffic between 10G to 1G interfaces.

htx-gtse-quota *

Configure HTX GTSE quota.

option

-

Option

Description

100Mbps

100Mbps.

200Mbps

200Mbps.

300Mbps

300Mbps.

400Mbps

400Mbps.

500Mbps

500Mbps.

600Mbps

600Mbps.

700Mbps

700Mbps.

800Mbps

800Mbps.

900Mbps

900Mbps.

1Gbps

1Gbps.

2Gbps

2Gbps.

4Gbps

4Gbps.

8Gbps

8Gbps.

10Gbps

10Gbps.

iph-rsvd-re-cksum *

Enable/disable IP checksum re-calculation for packets with iph.reserved bit set.

option

-

Option

Description

enable

Enable IP checksum re-calculation for packets with iph.reserved bit set.

disable

Disable IP checksum re-calculation for packets with iph.reserved bit set.

ipsec-dec-subengine-mask *

IPsec decryption subengine mask.

user

Not Specified

ipsec-enc-subengine-mask *

IPsec encryption subengine mask.

user

Not Specified

ipsec-inbound-cache *

Enable/disable IPsec inbound cache for anti-replay.

option

-

Option

Description

enable

Enable inbound cache always.

disable

Disable inbound cache when IPsec anti-replay is on.

ipsec-mtu-override *

Enable/disable NP6 IPsec MTU override.

option

-

Option

Description

disable

Disable NP6 IPsec MTU override.

enable

Enable NP6 IPsec MTU override.

ipsec-over-vlink *

Enable/disable IPSEC over vlink.

option

-

Option

Description

enable

Enable IPSEC over vlink.

disable

Disable IPSEC over vlink.

lag-out-port-select *

Enable/disable LAG outgoing port selection based on incoming traffic port.

option

-

Option

Description

disable

Disable LAG outgoing port selection based on incoming traffic port.

enable

Enable LAG outgoing port selection based on incoming traffic port.

mcast-session-accounting *

Enable/disable traffic accounting for each multicast session through TAE counter.

option

-

Option

Description

tpe-based

Enable TPE-based multicast session accounting.

session-based

Enable session-based multicast session accounting.

disable

Disable multicast session accounting.

np6-cps-optimization-mode *

Enable/disable NP6 connection per second (CPS) optimization mode.

option

-

Option

Description

enable

Enable NP6 connection per second (CPS) optimization mode.

disable

Disable NP6 connection per second (CPS) optimization mode.

per-session-accounting *

Enable/disable per-session accounting.

option

-

Option

Description

disable

Disable per-session accounting.

traffic-log-only

Per-session accounting only for sessions with traffic logging enabled in firewall policy.

enable

Per-session accounting for all sessions.

qos-mode *

QoS mode on switch and NP.

option

-

Option

Description

disable

Disable QoS on switch and NP.

priority

Priority based.

round-robin

Round Robin Scheduler.

rdp-offload *

Enable/disable rdp offload.

option

-

Option

Description

enable

Enable reliable datagram protocol traffic offload.

disable

Disable reliable datagram protocol traffic offload.

recover-np6-link *

Enable/disable internal link failure check and recovery after boot up.

option

-

Option

Description

enable

Enable internal link failure check and recovery after boot up.

disable

Disable internal link failure check and recovery after boot up.

sse-backpressure *

Enable/disable sse backpressure.

option

-

Option

Description

enable

Enable sse backpressureg.

disable

Disable sse backpressureg.

strip-clear-text-padding *

Enable/disable stripping clear text padding.

option

-

Option

Description

enable

Enable stripping clear text padding.

disable

Disable stripping clear text padding.

strip-esp-padding *

Enable/disable stripping ESP padding.

option

-

Option

Description

enable

Enable stripping ESP padding.

disable

Disable stripping ESP padding.

sw-np-bandwidth *

Bandwidth from switch to NP.

option

-

Option

Description

0G

Default value. No bandwidth control.

2G

2Gbps.

4G

4Gbps.

5G

5Gbps.

6G

6Gbps.

switch-np-hash *

Switch-NP trunk port selection Criteria.

option

-

Option

Description

src-ip

Source IP address.

dst-ip

Destination IP address.

src-dst-ip

Source+dest IP address.

uesp-offload *

Enable/disable UDP-encapsulated ESP offload.

option

-

Option

Description

enable

Enable UDP-encapsulated ESP traffic offload.

disable

Disable UDP-encapsulated ESP traffic offload.

* This parameter may not exist in some models.

config fp-anomaly

Parameter

Description

Type

Size

ipv4-ver-err

Invalid IPv4 header version anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid header version.

trap-to-host

Forward IPv4 invalid header version to main CPU for processing.

ipv4-ihl-err

Invalid IPv4 header length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid header length.

trap-to-host

Forward IPv4 invalid header length to main CPU for processing.

ipv4-len-err

Invalid IPv4 packet length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid packet length.

trap-to-host

Forward IPv4 invalid packet length to main CPU for processing.

ipv4-ttlzero-err

Invalid IPv4 TTL field zero anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TTL field zero.

trap-to-host

Forward IPv4 invalid TTL field zero to main CPU for processing.

ipv4-csum-err

Invalid IPv4 packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid L3 checksum.

trap-to-host

Forward IPv4 invalid L3 checksum to main CPU for processing.

ipv4-opt-err

Invalid IPv4 option parsing anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid option parsing.

trap-to-host

Forward IPv4 invalid option parsing to main CPU for processing.

tcp-hlen-err

Invalid IPv4 TCP header length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TCP packet header length.

trap-to-host

Forward IPv4 invalid TCP packet header length to main CPU for processing.

tcp-plen-err

Invalid IPv4 TCP packet length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TCP packet length.

trap-to-host

Forward IPv4 invalid TCP packet length to main CPU for processing.

tcp-csum-err

Invalid IPv4 TCP packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid TCP packet checksum.

trap-to-host

Forward IPv4 invalid TCP packet checksum to main CPU for processing.

udp-plen-err

Invalid IPv4 UDP packet minimum length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP packet minimum length.

trap-to-host

Forward IPv4 invalid UDP packet minimum length to main CPU for processing.

udp-hlen-err

Invalid IPv4 UDP packet header length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP header length.

trap-to-host

Forward IPv4 invalid UDP header length to main CPU for processing.

udp-csum-err

Invalid IPv4 UDP packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP packet checksum.

trap-to-host

Forward IPv4 invalid UDP packet checksum to main CPU for processing.

udp-len-err

Invalid IPv4 UDP packet length anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP packet length.

trap-to-host

Forward IPv4 invalid UDP packet length to main CPU for processing.

udplite-cover-err

Invalid IPv4 UDP-Lite packet coverage anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet coverage.

trap-to-host

Forward IPv4 invalid UDP-Lite packet coverage to main CPU for processing.

udplite-csum-err

Invalid IPv4 UDP-Lite packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid UDP-Lite packet checksum.

trap-to-host

Forward IPv4 invalid UDP-Lite packet checksum to main CPU for processing.

icmp-minlen-err

Invalid IPv4 ICMP short packet anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid ICMP short packet.

trap-to-host

Forward IPv4 invalid ICMP short packet to main CPU for processing.

icmp-csum-err

Invalid IPv4 ICMP packet checksum anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid ICMP checksum.

trap-to-host

Forward IPv4 invalid ICMP checksum to main CPU for processing.

esp-minlen-err

Invalid IPv4 ESP short packet anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid ESP short packet.

trap-to-host

Forward IPv4 invalid ESP short packet to main CPU for processing.

unknproto-minlen-err

Invalid IPv4 L4 unknown protocol short packet anomalies.

option

-

Option

Description

drop

Drop IPv4 invalid L4 unknown protocol short packet.

trap-to-host

Forward IPv4 invalid L4 unknown protocol short packet to main CPU for processing.

ipv6-ver-err

Invalid IPv6 packet version anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet version.

trap-to-host

Forward IPv6 with invalid packet version to FortiOS.

ipv6-ihl-err

Invalid IPv6 packet length anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet length.

trap-to-host

Forward IPv6 with invalid packet length to FortiOS.

ipv6-plen-zero

Invalid IPv6 packet payload length zero anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet payload length zero.

trap-to-host

Forward IPv6 with invalid packet payload length zero to FortiOS.

ipv6-exthdr-order-err

Invalid IPv6 packet extension header ordering anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet extension header ordering.

trap-to-host

Forward IPv6 with invalid packet extension header ordering to FortiOS.

ipv6-exthdr-len-err

Invalid IPv6 packet chain extension header total length anomalies.

option

-

Option

Description

drop

Drop IPv6 with invalid packet chain extension header total length.

trap-to-host

Forward IPv6 with invalid packet chain extension header total length to FortiOS.

config isf-np-queues

Parameter

Description

Type

Size

cos0

CoS profile name for CoS 0.

string

Maximum length: 35

cos1

CoS profile name for CoS 1.

string

Maximum length: 35

cos2

CoS profile name for CoS 2.

string

Maximum length: 35

cos3

CoS profile name for CoS 3.

string

Maximum length: 35

cos4

CoS profile name for CoS 4.

string

Maximum length: 35

cos5

CoS profile name for CoS 5.

string

Maximum length: 35

cos6

CoS profile name for CoS 6.

string

Maximum length: 35

cos7

CoS profile name for CoS 7.

string

Maximum length: 35

config port-cpu-map

Parameter

Description

Type

Size

interface

The interface to map to a CPU core.

string

Maximum length: 15

cpu-core

The CPU core to map to an interface.

string

Maximum length: 31

config port-npu-map

Parameter

Description

Type

Size

interface

Set npu interface port to NPU group map.

string

Maximum length: 15

npu-group-index

Mapping NPU group index.

integer

Minimum value: 0 Maximum value: 4294967295

config priority-protocol

Parameter

Description

Type

Size

bgp

Enable/disable NPU BGP priority protocol.

option

-

Option

Description

enable

Enable NPU BGP priority protocol.

disable

Disable NPU BGP priority protocol.

slbc

Enable/disable NPU SLBC priority protocol.

option

-

Option

Description

enable

Enable NPU SLBC priority protocol.

disable

Disable NPU SLBC priority protocol.

bfd

Enable/disable NPU BFD priority protocol.

option

-

Option

Description

enable

Enable NPU BFD priority protocol.

disable

Disable NPU BFD priority protocol.