Fortinet black logo

Hyperscale Firewall Release Notes

Home FortiGate / FortiOS 6.4.8 Hyperscale Firewall Release Notes
6.4.8
7.2.4
7.2.3
7.2.2
7.2.1
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

NP7 handling of ICMP checksum errors during anomaly checking

NP7 handling of ICMP checksum errors during anomaly checking

You can use the following command to configure NP7 processors to send ICMP packets with checksum errors to the CPU:

config system npu

config fp-anomaly

set icmp-csum-err trap-to-host

end

You might set up this configuration if you have configured a DoS firewall policy that includes ICMP DoS protection.

In addition to the above configuration, you must also use the following command (new to FortiOS 6.4.8) to block or allow NP7 processors to send ICMP packets with checksum errors to the CPU:

config system npu

set htx-icmp-csum-chk {drop | pass}

end

drop block ICMP packets with checksum errors. This is the default setting.

pass forward ICMP packets with checksum errors to the CPU.

Previous
Next

NP7 handling of ICMP checksum errors during anomaly checking

You can use the following command to configure NP7 processors to send ICMP packets with checksum errors to the CPU:

config system npu

config fp-anomaly

set icmp-csum-err trap-to-host

end

You might set up this configuration if you have configured a DoS firewall policy that includes ICMP DoS protection.

In addition to the above configuration, you must also use the following command (new to FortiOS 6.4.8) to block or allow NP7 processors to send ICMP packets with checksum errors to the CPU:

config system npu

set htx-icmp-csum-chk {drop | pass}

end

drop block ICMP packets with checksum errors. This is the default setting.

pass forward ICMP packets with checksum errors to the CPU.

Previous
Next