Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.2.6
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    system np6

    Configure NP6 attributes.

      config system np6
      Description: Configure NP6 attributes.
      edit <name>
          set fastpath [disable|enable]
          set low-latency-mode [disable|enable]
          set per-session-accounting [disable|traffic-log-only|...]
          set garbage-session-collector [disable|enable]
          set session-collector-interval {integer}
          set session-timeout-interval {integer}
          set session-timeout-random-range {integer}
          set session-timeout-fixed [disable|enable]
          config hpe
              Description: HPE configuration.
              set tcpsyn-max {integer}
              set tcp-max {integer}
              set udp-max {integer}
              set icmp-max {integer}
              set sctp-max {integer}
              set esp-max {integer}
              set ip-frag-max {integer}
              set ip-others-max {integer}
              set arp-max {integer}
              set l2-others-max {integer}
              set pri-type-max {integer}
              set enable-shaper [disable|enable]
          end
          config fp-anomaly
              Description: NP6 IPv4 anomaly protection. trap-to-host forwards anomaly sessions to the CPU.
              set tcp-syn-fin [allow|drop|...]
              set tcp-fin-noack [allow|drop|...]
              set tcp-fin-only [allow|drop|...]
              set tcp-no-flag [allow|drop|...]
              set tcp-syn-data [allow|drop|...]
              set tcp-winnuke [allow|drop|...]
              set tcp-land [allow|drop|...]
              set udp-land [allow|drop|...]
              set icmp-land [allow|drop|...]
              set icmp-frag [allow|drop|...]
              set ipv4-land [allow|drop|...]
              set ipv4-proto-err [allow|drop|...]
              set ipv4-unknopt [allow|drop|...]
              set ipv4-optrr [allow|drop|...]
              set ipv4-optssrr [allow|drop|...]
              set ipv4-optlsrr [allow|drop|...]
              set ipv4-optstream [allow|drop|...]
              set ipv4-optsecurity [allow|drop|...]
              set ipv4-opttimestamp [allow|drop|...]
              set ipv4-csum-err [drop|trap-to-host]
              set tcp-csum-err [drop|trap-to-host]
              set udp-csum-err [drop|trap-to-host]
              set icmp-csum-err [drop|trap-to-host]
              set ipv6-land [allow|drop|...]
              set ipv6-proto-err [allow|drop|...]
              set ipv6-unknopt [allow|drop|...]
              set ipv6-saddr-err [allow|drop|...]
              set ipv6-daddr-err [allow|drop|...]
              set ipv6-optralert [allow|drop|...]
              set ipv6-optjumbo [allow|drop|...]
              set ipv6-opttunnel [allow|drop|...]
              set ipv6-opthomeaddr [allow|drop|...]
              set ipv6-optnsap [allow|drop|...]
              set ipv6-optendpid [allow|drop|...]
              set ipv6-optinvld [allow|drop|...]
          end
      next
  end

    config system np6

    Parameter Name Description Type Size
    fastpath Enable/disable NP4 or NP6 offloading (also called fast path).
    disable: Disable NP4 or NP6 offloading (fast path).
    enable: Enable NP4 or NP6 offloading (fast path).
    		 option -
    low-latency-mode Enable/disable low latency mode.
    disable: Disable low latency mode.
    enable: Enable low latency mode.
    		 option -
    per-session-accounting Enable/disable per-session accounting.
    disable: Disable per-session accounting.
    traffic-log-only: Per-session accounting only for sessions with traffic logging enabled in firewall policy.
    enable: Per-session accounting for all sessions.
    		 option -
    garbage-session-collector Enable/disable garbage session collector.
    disable: Disable garbage session collector.
    enable: Enable garbage session collector.
    		 option -
    session-collector-interval Set garbage session collection cleanup interval (1 - 100 sec, default 64). integer Minimum value: 1 Maximum value: 100
    session-timeout-interval Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec). integer Minimum value: 0 Maximum value: 1000
    session-timeout-random-range Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec). integer Minimum value: 0 Maximum value: 1000
    session-timeout-fixed {disable enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.
    disable: Disable Refresh NP6 sessions at the configured fixed interval.
    enable: Enable Refresh NP6 sessions randomly where the time between refreshes is within the random range.
    		 option -

    config hpe

    Parameter Name Description Type Size
    tcpsyn-max Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
    tcp-max Maximum TCP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
    udp-max Maximum UDP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
    icmp-max Maximum ICMP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    sctp-max Maximum SCTP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    esp-max Maximum ESP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    ip-frag-max Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    ip-others-max Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    arp-max Maximum ARP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    l2-others-max Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    pri-type-max Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. integer Minimum value: 10000 Maximum value: 4000000000
    enable-shaper Enable/Disable NPU host protection engine (HPE) shaper.
    disable: Disable NPU HPE shaping based on packet type.
    enable: Enable NPU HPE shaping based on packet type.
    		 option -

    config fp-anomaly

    Parameter Name Description Type Size
    tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies.
    allow: Allow TCP packets with syn_fin flag set to pass.
    drop: Drop TCP packets with syn_fin flag set.
    trap-to-host: Forward TCP packets with syn_fin flag set to FortiOS.
    		 option -
    tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting anomalies.
    allow: Allow TCP packets with FIN flag set without ack setting to pass.
    drop: Drop TCP packets with FIN flag set without ack setting.
    trap-to-host: Forward TCP packets with FIN flag set without ack setting to FortiOS.
    		 option -
    tcp-fin-only TCP SYN flood with only FIN flag set anomalies.
    allow: Allow TCP packets with FIN flag set only to pass.
    drop: Drop TCP packets with FIN flag set only.
    trap-to-host: Forward TCP packets with FIN flag set only to FortiOS.
    		 option -
    tcp-no-flag TCP SYN flood with no flag set anomalies.
    allow: Allow TCP packets without flag set to pass.
    drop: Drop TCP packets without flag set.
    trap-to-host: Forward TCP packets without flag set to FortiOS.
    		 option -
    tcp-syn-data TCP SYN flood packets with data anomalies.
    allow: Allow TCP syn packets with data to pass.
    drop: Drop TCP syn packets with data.
    trap-to-host: Forward TCP syn packets with data to FortiOS.
    		 option -
    tcp-winnuke TCP WinNuke anomalies.
    allow: Allow TCP packets winnuke attack to pass.
    drop: Drop TCP packets winnuke attack.
    trap-to-host: Forward TCP packets winnuke attack to FortiOS.
    		 option -
    tcp-land TCP land anomalies.
    allow: Allow TCP land attack to pass.
    drop: Drop TCP land attack.
    trap-to-host: Forward TCP land attack to FortiOS.
    		 option -
    udp-land UDP land anomalies.
    allow: Allow UDP land attack to pass.
    drop: Drop UDP land attack.
    trap-to-host: Forward UDP land attack to FortiOS.
    		 option -
    icmp-land ICMP land anomalies.
    allow: Allow ICMP land attack to pass.
    drop: Drop ICMP land attack.
    trap-to-host: Forward ICMP land attack to FortiOS.
    		 option -
    icmp-frag Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.
    allow: Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
    drop: Drop L3 fragment packet with L4 protocol as ICMP attack.
    trap-to-host: Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
    		 option -
    ipv4-land Land anomalies.
    allow: Allow IPv4 land attack to pass.
    drop: Drop IPv4 land attack.
    trap-to-host: Forward IPv4 land attack to FortiOS.
    		 option -
    ipv4-proto-err Invalid layer 4 protocol anomalies.
    allow: Allow IPv4 invalid L4 protocol to pass.
    drop: Drop IPv4 invalid L4 protocol.
    trap-to-host: Forward IPv4 invalid L4 protocol to FortiOS.
    		 option -
    ipv4-unknopt Unknown option anomalies.
    allow: Allow IPv4 with unknown options to pass.
    drop: Drop IPv4 with unknown options.
    trap-to-host: Forward IPv4 with unknown options to FortiOS.
    		 option -
    ipv4-optrr Record route option anomalies.
    allow: Allow IPv4 with record route option to pass.
    drop: Drop IPv4 with record route option.
    trap-to-host: Forward IPv4 with record route option to FortiOS.
    		 option -
    ipv4-optssrr Strict source record route option anomalies.
    allow: Allow IPv4 with strict source record route option to pass.
    drop: Drop IPv4 with strict source record route option.
    trap-to-host: Forward IPv4 with strict source record route option to FortiOS.
    		 option -
    ipv4-optlsrr Loose source record route option anomalies.
    allow: Allow IPv4 with loose source record route option to pass.
    drop: Drop IPv4 with loose source record route option.
    trap-to-host: Forward IPv4 with loose source record route option to FortiOS.
    		 option -
    ipv4-optstream Stream option anomalies.
    allow: Allow IPv4 with stream option to pass.
    drop: Drop IPv4 with stream option.
    trap-to-host: Forward IPv4 with stream option to FortiOS.
    		 option -
    ipv4-optsecurity Security option anomalies.
    allow: Allow IPv4 with security option to pass.
    drop: Drop IPv4 with security option.
    trap-to-host: Forward IPv4 with security option to FortiOS.
    		 option -
    ipv4-opttimestamp Timestamp option anomalies.
    allow: Allow IPv4 with timestamp option to pass.
    drop: Drop IPv4 with timestamp option.
    trap-to-host: Forward IPv4 with timestamp option to FortiOS.
    		 option -
    ipv4-csum-err Invalid IPv4 IP checksum anomalies.
    drop: Drop IPv4 invalid IP checksum.
    trap-to-host: Forward IPv4 invalid IP checksum to main CPU for processing.
    		 option -
    tcp-csum-err Invalid IPv4 TCP checksum anomalies.
    drop: Drop IPv4 invalid TCP checksum.
    trap-to-host: Forward IPv4 invalid TCP checksum to main CPU for processing.
    		 option -
    udp-csum-err Invalid IPv4 UDP checksum anomalies.
    drop: Drop IPv4 invalid UDP checksum.
    trap-to-host: Forward IPv4 invalid UDP checksum to main CPU for processing.
    		 option -
    icmp-csum-err Invalid IPv4 ICMP checksum anomalies.
    drop: Drop IPv4 invalid ICMP checksum.
    trap-to-host: Forward IPv4 invalid ICMP checksum to main CPU for processing.
    		 option -
    ipv6-land Land anomalies.
    allow: Allow IPv6 land attack to pass.
    drop: Drop IPv6 land attack.
    trap-to-host: Forward IPv6 land attack to FortiOS.
    		 option -
    ipv6-proto-err Layer 4 invalid protocol anomalies.
    allow: Allow IPv6 L4 invalid protocol to pass.
    drop: Drop IPv6 L4 invalid protocol.
    trap-to-host: Forward IPv6 L4 invalid protocol to FortiOS.
    		 option -
    ipv6-unknopt Unknown option anomalies.
    allow: Allow IPv6 with unknown options to pass.
    drop: Drop IPv6 with unknown options.
    trap-to-host: Forward IPv6 with unknown options to FortiOS.
    		 option -
    ipv6-saddr-err Source address as multicast anomalies.
    allow: Allow IPv6 with source address as multicast to pass.
    drop: Drop IPv6 with source address as multicast.
    trap-to-host: Forward IPv6 with source address as multicast to FortiOS.
    		 option -
    ipv6-daddr-err Destination address as unspecified or loopback address anomalies.
    allow: Allow IPv6 with destination address as unspecified or loopback address to pass.
    drop: Drop IPv6 with destination address as unspecified or loopback address.
    trap-to-host: Forward IPv6 with destination address as unspecified or loopback address to FortiOS.
    		 option -
    ipv6-optralert Router alert option anomalies.
    allow: Allow IPv6 with router alert option to pass.
    drop: Drop IPv6 with router alert option.
    trap-to-host: Forward IPv6 with router alert option to FortiOS.
    		 option -
    ipv6-optjumbo Jumbo options anomalies.
    allow: Allow IPv6 with jumbo option to pass.
    drop: Drop IPv6 with jumbo option.
    trap-to-host: Forward IPv6 with jumbo option to FortiOS.
    		 option -
    ipv6-opttunnel Tunnel encapsulation limit option anomalies.
    allow: Allow IPv6 with tunnel encapsulation limit to pass.
    drop: Drop IPv6 with tunnel encapsulation limit.
    trap-to-host: Forward IPv6 with tunnel encapsulation limit to FortiOS.
    		 option -
    ipv6-opthomeaddr Home address option anomalies.
    allow: Allow IPv6 with home address option to pass.
    drop: Drop IPv6 with home address option.
    trap-to-host: Forward IPv6 with home address option to FortiOS.
    		 option -
    ipv6-optnsap Network service access point address option anomalies.
    allow: Allow IPv6 with network service access point address option to pass.
    drop: Drop IPv6 with network service access point address option.
    trap-to-host: Forward IPv6 with network service access point address option to FortiOS.
    		 option -
    ipv6-optendpid End point identification anomalies.
    allow: Allow IPv6 with end point identification option to pass.
    drop: Drop IPv6 with end point identification option.
    trap-to-host: Forward IPv6 with end point identification option to FortiOS.
    		 option -
    ipv6-optinvld Invalid option anomalies.Invalid option anomalies.
    allow: Allow IPv6 with invalid option to pass.
    drop: Drop IPv6 with invalid option.
    trap-to-host: Forward IPv6 with invalid option to FortiOS.
    		 option -
    Previous
    Next

    system np6

    Configure NP6 attributes.

      config system np6
      Description: Configure NP6 attributes.
      edit <name>
          set fastpath [disable|enable]
          set low-latency-mode [disable|enable]
          set per-session-accounting [disable|traffic-log-only|...]
          set garbage-session-collector [disable|enable]
          set session-collector-interval {integer}
          set session-timeout-interval {integer}
          set session-timeout-random-range {integer}
          set session-timeout-fixed [disable|enable]
          config hpe
              Description: HPE configuration.
              set tcpsyn-max {integer}
              set tcp-max {integer}
              set udp-max {integer}
              set icmp-max {integer}
              set sctp-max {integer}
              set esp-max {integer}
              set ip-frag-max {integer}
              set ip-others-max {integer}
              set arp-max {integer}
              set l2-others-max {integer}
              set pri-type-max {integer}
              set enable-shaper [disable|enable]
          end
          config fp-anomaly
              Description: NP6 IPv4 anomaly protection. trap-to-host forwards anomaly sessions to the CPU.
              set tcp-syn-fin [allow|drop|...]
              set tcp-fin-noack [allow|drop|...]
              set tcp-fin-only [allow|drop|...]
              set tcp-no-flag [allow|drop|...]
              set tcp-syn-data [allow|drop|...]
              set tcp-winnuke [allow|drop|...]
              set tcp-land [allow|drop|...]
              set udp-land [allow|drop|...]
              set icmp-land [allow|drop|...]
              set icmp-frag [allow|drop|...]
              set ipv4-land [allow|drop|...]
              set ipv4-proto-err [allow|drop|...]
              set ipv4-unknopt [allow|drop|...]
              set ipv4-optrr [allow|drop|...]
              set ipv4-optssrr [allow|drop|...]
              set ipv4-optlsrr [allow|drop|...]
              set ipv4-optstream [allow|drop|...]
              set ipv4-optsecurity [allow|drop|...]
              set ipv4-opttimestamp [allow|drop|...]
              set ipv4-csum-err [drop|trap-to-host]
              set tcp-csum-err [drop|trap-to-host]
              set udp-csum-err [drop|trap-to-host]
              set icmp-csum-err [drop|trap-to-host]
              set ipv6-land [allow|drop|...]
              set ipv6-proto-err [allow|drop|...]
              set ipv6-unknopt [allow|drop|...]
              set ipv6-saddr-err [allow|drop|...]
              set ipv6-daddr-err [allow|drop|...]
              set ipv6-optralert [allow|drop|...]
              set ipv6-optjumbo [allow|drop|...]
              set ipv6-opttunnel [allow|drop|...]
              set ipv6-opthomeaddr [allow|drop|...]
              set ipv6-optnsap [allow|drop|...]
              set ipv6-optendpid [allow|drop|...]
              set ipv6-optinvld [allow|drop|...]
          end
      next
  end

    config system np6

    Parameter Name Description Type Size
    fastpath Enable/disable NP4 or NP6 offloading (also called fast path).
    disable: Disable NP4 or NP6 offloading (fast path).
    enable: Enable NP4 or NP6 offloading (fast path).
    		 option -
    low-latency-mode Enable/disable low latency mode.
    disable: Disable low latency mode.
    enable: Enable low latency mode.
    		 option -
    per-session-accounting Enable/disable per-session accounting.
    disable: Disable per-session accounting.
    traffic-log-only: Per-session accounting only for sessions with traffic logging enabled in firewall policy.
    enable: Per-session accounting for all sessions.
    		 option -
    garbage-session-collector Enable/disable garbage session collector.
    disable: Disable garbage session collector.
    enable: Enable garbage session collector.
    		 option -
    session-collector-interval Set garbage session collection cleanup interval (1 - 100 sec, default 64). integer Minimum value: 1 Maximum value: 100
    session-timeout-interval Set the fixed timeout for refreshing NP6 sessions (0 - 1000 sec, default 40 sec). integer Minimum value: 0 Maximum value: 1000
    session-timeout-random-range Set the random timeout range for refreshing NP6 sessions (0 - 1000 sec, default 8 sec). integer Minimum value: 0 Maximum value: 1000
    session-timeout-fixed {disable enable} Toggle between using fixed or random timeouts for refreshing NP6 sessions.
    disable: Disable Refresh NP6 sessions at the configured fixed interval.
    enable: Enable Refresh NP6 sessions randomly where the time between refreshes is within the random range.
    		 option -

    config hpe

    Parameter Name Description Type Size
    tcpsyn-max Maximum TCP SYN packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
    tcp-max Maximum TCP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
    udp-max Maximum UDP packet rate (10K - 4G pps, default = 5M pps). integer Minimum value: 10000 Maximum value: 4000000000
    icmp-max Maximum ICMP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    sctp-max Maximum SCTP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    esp-max Maximum ESP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    ip-frag-max Maximum fragmented IP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    ip-others-max Maximum IP packet rate for other packets (packet types that cannot be set with other options) (10G - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    arp-max Maximum ARP packet rate (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    l2-others-max Maximum L2 packet rate for L2 packets that are not ARP packets (10K - 4G pps, default = 1M pps). integer Minimum value: 10000 Maximum value: 4000000000
    pri-type-max Maximum overflow rate of priority type traffic(10K - 4G pps, default = 1M pps). Includes L2: HA, 802.3ad LACP, heartbeats. L3: OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. integer Minimum value: 10000 Maximum value: 4000000000
    enable-shaper Enable/Disable NPU host protection engine (HPE) shaper.
    disable: Disable NPU HPE shaping based on packet type.
    enable: Enable NPU HPE shaping based on packet type.
    		 option -

    config fp-anomaly

    Parameter Name Description Type Size
    tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies.
    allow: Allow TCP packets with syn_fin flag set to pass.
    drop: Drop TCP packets with syn_fin flag set.
    trap-to-host: Forward TCP packets with syn_fin flag set to FortiOS.
    		 option -
    tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting anomalies.
    allow: Allow TCP packets with FIN flag set without ack setting to pass.
    drop: Drop TCP packets with FIN flag set without ack setting.
    trap-to-host: Forward TCP packets with FIN flag set without ack setting to FortiOS.
    		 option -
    tcp-fin-only TCP SYN flood with only FIN flag set anomalies.
    allow: Allow TCP packets with FIN flag set only to pass.
    drop: Drop TCP packets with FIN flag set only.
    trap-to-host: Forward TCP packets with FIN flag set only to FortiOS.
    		 option -
    tcp-no-flag TCP SYN flood with no flag set anomalies.
    allow: Allow TCP packets without flag set to pass.
    drop: Drop TCP packets without flag set.
    trap-to-host: Forward TCP packets without flag set to FortiOS.
    		 option -
    tcp-syn-data TCP SYN flood packets with data anomalies.
    allow: Allow TCP syn packets with data to pass.
    drop: Drop TCP syn packets with data.
    trap-to-host: Forward TCP syn packets with data to FortiOS.
    		 option -
    tcp-winnuke TCP WinNuke anomalies.
    allow: Allow TCP packets winnuke attack to pass.
    drop: Drop TCP packets winnuke attack.
    trap-to-host: Forward TCP packets winnuke attack to FortiOS.
    		 option -
    tcp-land TCP land anomalies.
    allow: Allow TCP land attack to pass.
    drop: Drop TCP land attack.
    trap-to-host: Forward TCP land attack to FortiOS.
    		 option -
    udp-land UDP land anomalies.
    allow: Allow UDP land attack to pass.
    drop: Drop UDP land attack.
    trap-to-host: Forward UDP land attack to FortiOS.
    		 option -
    icmp-land ICMP land anomalies.
    allow: Allow ICMP land attack to pass.
    drop: Drop ICMP land attack.
    trap-to-host: Forward ICMP land attack to FortiOS.
    		 option -
    icmp-frag Layer 3 fragmented packets that could be part of layer 4 ICMP anomalies.
    allow: Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
    drop: Drop L3 fragment packet with L4 protocol as ICMP attack.
    trap-to-host: Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
    		 option -
    ipv4-land Land anomalies.
    allow: Allow IPv4 land attack to pass.
    drop: Drop IPv4 land attack.
    trap-to-host: Forward IPv4 land attack to FortiOS.
    		 option -
    ipv4-proto-err Invalid layer 4 protocol anomalies.
    allow: Allow IPv4 invalid L4 protocol to pass.
    drop: Drop IPv4 invalid L4 protocol.
    trap-to-host: Forward IPv4 invalid L4 protocol to FortiOS.
    		 option -
    ipv4-unknopt Unknown option anomalies.
    allow: Allow IPv4 with unknown options to pass.
    drop: Drop IPv4 with unknown options.
    trap-to-host: Forward IPv4 with unknown options to FortiOS.
    		 option -
    ipv4-optrr Record route option anomalies.
    allow: Allow IPv4 with record route option to pass.
    drop: Drop IPv4 with record route option.
    trap-to-host: Forward IPv4 with record route option to FortiOS.
    		 option -
    ipv4-optssrr Strict source record route option anomalies.
    allow: Allow IPv4 with strict source record route option to pass.
    drop: Drop IPv4 with strict source record route option.
    trap-to-host: Forward IPv4 with strict source record route option to FortiOS.
    		 option -
    ipv4-optlsrr Loose source record route option anomalies.
    allow: Allow IPv4 with loose source record route option to pass.
    drop: Drop IPv4 with loose source record route option.
    trap-to-host: Forward IPv4 with loose source record route option to FortiOS.
    		 option -
    ipv4-optstream Stream option anomalies.
    allow: Allow IPv4 with stream option to pass.
    drop: Drop IPv4 with stream option.
    trap-to-host: Forward IPv4 with stream option to FortiOS.
    		 option -
    ipv4-optsecurity Security option anomalies.
    allow: Allow IPv4 with security option to pass.
    drop: Drop IPv4 with security option.
    trap-to-host: Forward IPv4 with security option to FortiOS.
    		 option -
    ipv4-opttimestamp Timestamp option anomalies.
    allow: Allow IPv4 with timestamp option to pass.
    drop: Drop IPv4 with timestamp option.
    trap-to-host: Forward IPv4 with timestamp option to FortiOS.
    		 option -
    ipv4-csum-err Invalid IPv4 IP checksum anomalies.
    drop: Drop IPv4 invalid IP checksum.
    trap-to-host: Forward IPv4 invalid IP checksum to main CPU for processing.
    		 option -
    tcp-csum-err Invalid IPv4 TCP checksum anomalies.
    drop: Drop IPv4 invalid TCP checksum.
    trap-to-host: Forward IPv4 invalid TCP checksum to main CPU for processing.
    		 option -
    udp-csum-err Invalid IPv4 UDP checksum anomalies.
    drop: Drop IPv4 invalid UDP checksum.
    trap-to-host: Forward IPv4 invalid UDP checksum to main CPU for processing.
    		 option -
    icmp-csum-err Invalid IPv4 ICMP checksum anomalies.
    drop: Drop IPv4 invalid ICMP checksum.
    trap-to-host: Forward IPv4 invalid ICMP checksum to main CPU for processing.
    		 option -
    ipv6-land Land anomalies.
    allow: Allow IPv6 land attack to pass.
    drop: Drop IPv6 land attack.
    trap-to-host: Forward IPv6 land attack to FortiOS.
    		 option -
    ipv6-proto-err Layer 4 invalid protocol anomalies.
    allow: Allow IPv6 L4 invalid protocol to pass.
    drop: Drop IPv6 L4 invalid protocol.
    trap-to-host: Forward IPv6 L4 invalid protocol to FortiOS.
    		 option -
    ipv6-unknopt Unknown option anomalies.
    allow: Allow IPv6 with unknown options to pass.
    drop: Drop IPv6 with unknown options.
    trap-to-host: Forward IPv6 with unknown options to FortiOS.
    		 option -
    ipv6-saddr-err Source address as multicast anomalies.
    allow: Allow IPv6 with source address as multicast to pass.
    drop: Drop IPv6 with source address as multicast.
    trap-to-host: Forward IPv6 with source address as multicast to FortiOS.
    		 option -
    ipv6-daddr-err Destination address as unspecified or loopback address anomalies.
    allow: Allow IPv6 with destination address as unspecified or loopback address to pass.
    drop: Drop IPv6 with destination address as unspecified or loopback address.
    trap-to-host: Forward IPv6 with destination address as unspecified or loopback address to FortiOS.
    		 option -
    ipv6-optralert Router alert option anomalies.
    allow: Allow IPv6 with router alert option to pass.
    drop: Drop IPv6 with router alert option.
    trap-to-host: Forward IPv6 with router alert option to FortiOS.
    		 option -
    ipv6-optjumbo Jumbo options anomalies.
    allow: Allow IPv6 with jumbo option to pass.
    drop: Drop IPv6 with jumbo option.
    trap-to-host: Forward IPv6 with jumbo option to FortiOS.
    		 option -
    ipv6-opttunnel Tunnel encapsulation limit option anomalies.
    allow: Allow IPv6 with tunnel encapsulation limit to pass.
    drop: Drop IPv6 with tunnel encapsulation limit.
    trap-to-host: Forward IPv6 with tunnel encapsulation limit to FortiOS.
    		 option -
    ipv6-opthomeaddr Home address option anomalies.
    allow: Allow IPv6 with home address option to pass.
    drop: Drop IPv6 with home address option.
    trap-to-host: Forward IPv6 with home address option to FortiOS.
    		 option -
    ipv6-optnsap Network service access point address option anomalies.
    allow: Allow IPv6 with network service access point address option to pass.
    drop: Drop IPv6 with network service access point address option.
    trap-to-host: Forward IPv6 with network service access point address option to FortiOS.
    		 option -
    ipv6-optendpid End point identification anomalies.
    allow: Allow IPv6 with end point identification option to pass.
    drop: Drop IPv6 with end point identification option.
    trap-to-host: Forward IPv6 with end point identification option to FortiOS.
    		 option -
    ipv6-optinvld Invalid option anomalies.Invalid option anomalies.
    allow: Allow IPv6 with invalid option to pass.
    drop: Drop IPv6 with invalid option.
    trap-to-host: Forward IPv6 with invalid option to FortiOS.
    		 option -
    Previous
    Next