Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configure TCP NPU session delay globally

    Configure TCP NPU session delay globally

    The TCP NPU session delay can be applied globally, eliminating the need to set this command for each firewall policy.

    config system global
    set delay-tcp-npu-session {enable | disable}
end

    This global setting is disabled by default. When it is disabled, if the host interface is busy, it is possible that the third TCP session establishment ACK received from the client is transmitted to the server after the data packets. When it is enabled, the packet order of the three-way handshake is guaranteed.

    A sniffer trace will display the following when the setting is disabled:

    # diagnose sniffer packet port1 'tcp' 6 0 a
interfaces=[port1]
filters=[tcp]
2024-04-17 20:42:48.920621 port1 -- 172.16.200.55.45028 -> 10.1.100.11.80: syn 1844864123
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   003c 868a 4000 4006 d1dd ac10 c837 0a01        .<..@.@......7..
0x0020   640b afe4 0050 6df6 647b 0000 0000 a002        d....Pm.d{......
0x0030   70bc 3f42 0000 0204 05a3 0402 080a 5026        p.?B..........P&
0x0040   e2f1 0000 0000 0103 0307                       ..........

2024-04-17 20:42:48.921391 port1 -- 10.1.100.11.80 -> 172.16.200.55.45028: syn 2427492278 ack 1844864124
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   003c 0000 4000 3e06 5a68 0a01 640b ac10        .<..@.>.Zh..d...
0x0020   c837 0050 afe4 90b0 97b6 6df6 647c a012        .7.P......m.d|..
0x0030   7120 d861 0000 0204 0576 0402 080a 5029        q..a.....v....P)
0x0040   ee07 5026 e2f1 0103 0307                       ..P&......

2024-04-17 20:42:48.921586 port1 -- 172.16.200.55.45028 -> 10.1.100.11.80: ack 2427492279
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   0034 868b 4000 4006 d1e4 ac10 c837 0a01        .4..@.@......7..
0x0020   640b afe4 0050 6df6 647c 90b0 97b7 8010        d....Pm.d|......
0x0030   00e2 772e 0000 0101 080a 5026 e2f1 5029        ..w.......P&..P)
0x0040   ee07                                           ..

2024-04-17 20:42:48.922499 port1 -- 10.1.100.11.80 -> 172.16.200.55.45028: ack 1844864277
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   0034 79b0 4000 3e06 e0bf 0a01 640b ac10        .4y.@.>.....d...
0x0020   c837 0050 afe4 90b0 97b7 6df6 6515 8010        .7.P......m.e...
0x0030   00eb 768c 0000 0101 080a 5029 ee07 5026        ..v.......P)..P&
0x0040   e2f1

    A sniffer trace will display the following when the setting is enabled:

    # diagnose sniffer packet port1 'tcp' 6 0 a
interfaces=[port1]
filters=[tcp]
2024-04-17 20:37:11.440240 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: syn 780932462
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   003c 8c31 4000 4006 cc36 ac10 c837 0a01        .<.1@.@..6...7..
0x0020   640b aa98 0050 2e8c 156e 0000 0000 a002        d....P...n......
0x0030   70bc 1c99 0000 0204 05a3 0402 080a 5025        p.............P%
0x0040   995f 0000 0000 0103 0307                       ._........

2024-04-17 20:37:11.440925 port1 -- 10.1.100.11.80 -> 172.16.200.55.43672: syn 3325091396 ack 780932463
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   003c 0000 4000 3e06 5a68 0a01 640b ac10        .<..@.>.Zh..d...
0x0020   c837 0050 aa98 c630 de44 2e8c 156f a012        .7.P...0.D...o..
0x0030   7120 833c 0000 0204 0576 0402 080a 5028        q..<.....v....P(
0x0040   a476 5025 995f 0103 0307                       .vP%._....

2024-04-17 20:37:11.441126 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: ack 3325091397
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   0034 8c32 4000 4006 cc3d ac10 c837 0a01        .4.2@.@..=...7..
0x0020   640b aa98 0050 2e8c 156f c630 de45 8010        d....P...o.0.E..
0x0030   00e2 2209 0000 0101 080a 5025 995f 5028        ..".......P%._P(
0x0040   a476                                           .v

2024-04-17 20:37:11.441518 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: psh 780932463 ack 3325091397
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   00cd 8c33 4000 4006 cba3 ac10 c837 0a01        ...3@.@......7..
0x0020   640b aa98 0050 2e8c 156f c630 de45 8018        d....P...o.0.E..
0x0030   00e2 feba 0000 0101 080a 5025 995f 5028        ..........P%._P(
0x0040   a476 4745 5420 2f76 6972 7573 2f69 6d61        .vGET./virus/ima
0x0050   6765 2e6f 7574 2048 5454 502f 312e 310d        ge.out.HTTP/1.1.
0x0060   0a55 7365 722d 4167 656e 743a 2057 6765        .User-Agent:.Wge
0x0070   742f 312e 3137 2e31 2028 6c69 6e75 782d        t/1.17.1.(linux-
0x0080   676e 7529 0d0a 4163 6365 7074 3a20 2a2f        gnu)..Accept:.*/
0x0090   2a0d 0a41 6363 6570 742d 456e 636f 6469        *..Accept-Encodi
0x00a0   6e67 3a20 6964 656e 7469 7479 0d0a 486f        ng:.identity..Ho
0x00b0   7374 3a20 3130 2e31 2e31 3030 2e31 310d        st:.10.1.100.11.
0x00c0   0a43 6f6e 6e65 6374 696f 6e3a 204b 6565        .Connection:.Kee
0x00d0   702d 416c 6976 650d 0a0d 0a                    p-Alive....

2024-04-17 20:37:11.441883 port1 -- 10.1.100.11.80 -> 172.16.200.55.43672: ack 780932616
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   0034 7a33 4000 3e06 e03c 0a01 640b ac10        .4z3@.>..<..d...
0x0020   c837 0050 aa98 c630 de45 2e8c 1608 8010        .7.P...0.E......
0x0030   00eb 2167 0000 0101 080a 5028 a476 5025        ..!g......P(.vP%
0x0040   995f
    Previous
    Next

    Configure TCP NPU session delay globally

    Configure TCP NPU session delay globally

    The TCP NPU session delay can be applied globally, eliminating the need to set this command for each firewall policy.

    config system global
    set delay-tcp-npu-session {enable | disable}
end

    This global setting is disabled by default. When it is disabled, if the host interface is busy, it is possible that the third TCP session establishment ACK received from the client is transmitted to the server after the data packets. When it is enabled, the packet order of the three-way handshake is guaranteed.

    A sniffer trace will display the following when the setting is disabled:

    # diagnose sniffer packet port1 'tcp' 6 0 a
interfaces=[port1]
filters=[tcp]
2024-04-17 20:42:48.920621 port1 -- 172.16.200.55.45028 -> 10.1.100.11.80: syn 1844864123
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   003c 868a 4000 4006 d1dd ac10 c837 0a01        .<..@.@......7..
0x0020   640b afe4 0050 6df6 647b 0000 0000 a002        d....Pm.d{......
0x0030   70bc 3f42 0000 0204 05a3 0402 080a 5026        p.?B..........P&
0x0040   e2f1 0000 0000 0103 0307                       ..........

2024-04-17 20:42:48.921391 port1 -- 10.1.100.11.80 -> 172.16.200.55.45028: syn 2427492278 ack 1844864124
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   003c 0000 4000 3e06 5a68 0a01 640b ac10        .<..@.>.Zh..d...
0x0020   c837 0050 afe4 90b0 97b6 6df6 647c a012        .7.P......m.d|..
0x0030   7120 d861 0000 0204 0576 0402 080a 5029        q..a.....v....P)
0x0040   ee07 5026 e2f1 0103 0307                       ..P&......

2024-04-17 20:42:48.921586 port1 -- 172.16.200.55.45028 -> 10.1.100.11.80: ack 2427492279
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   0034 868b 4000 4006 d1e4 ac10 c837 0a01        .4..@.@......7..
0x0020   640b afe4 0050 6df6 647c 90b0 97b7 8010        d....Pm.d|......
0x0030   00e2 772e 0000 0101 080a 5026 e2f1 5029        ..w.......P&..P)
0x0040   ee07                                           ..

2024-04-17 20:42:48.922499 port1 -- 10.1.100.11.80 -> 172.16.200.55.45028: ack 1844864277
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   0034 79b0 4000 3e06 e0bf 0a01 640b ac10        .4y.@.>.....d...
0x0020   c837 0050 afe4 90b0 97b7 6df6 6515 8010        .7.P......m.e...
0x0030   00eb 768c 0000 0101 080a 5029 ee07 5026        ..v.......P)..P&
0x0040   e2f1

    A sniffer trace will display the following when the setting is enabled:

    # diagnose sniffer packet port1 'tcp' 6 0 a
interfaces=[port1]
filters=[tcp]
2024-04-17 20:37:11.440240 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: syn 780932462
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   003c 8c31 4000 4006 cc36 ac10 c837 0a01        .<.1@.@..6...7..
0x0020   640b aa98 0050 2e8c 156e 0000 0000 a002        d....P...n......
0x0030   70bc 1c99 0000 0204 05a3 0402 080a 5025        p.............P%
0x0040   995f 0000 0000 0103 0307                       ._........

2024-04-17 20:37:11.440925 port1 -- 10.1.100.11.80 -> 172.16.200.55.43672: syn 3325091396 ack 780932463
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   003c 0000 4000 3e06 5a68 0a01 640b ac10        .<..@.>.Zh..d...
0x0020   c837 0050 aa98 c630 de44 2e8c 156f a012        .7.P...0.D...o..
0x0030   7120 833c 0000 0204 0576 0402 080a 5028        q..<.....v....P(
0x0040   a476 5025 995f 0103 0307                       .vP%._....

2024-04-17 20:37:11.441126 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: ack 3325091397
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   0034 8c32 4000 4006 cc3d ac10 c837 0a01        .4.2@.@..=...7..
0x0020   640b aa98 0050 2e8c 156f c630 de45 8010        d....P...o.0.E..
0x0030   00e2 2209 0000 0101 080a 5025 995f 5028        ..".......P%._P(
0x0040   a476                                           .v

2024-04-17 20:37:11.441518 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: psh 780932463 ack 3325091397
0x0000   8439 8ff2 9c30 000c 2960 1955 0800 4500        .9...0..)`.U..E.
0x0010   00cd 8c33 4000 4006 cba3 ac10 c837 0a01        ...3@.@......7..
0x0020   640b aa98 0050 2e8c 156f c630 de45 8018        d....P...o.0.E..
0x0030   00e2 feba 0000 0101 080a 5025 995f 5028        ..........P%._P(
0x0040   a476 4745 5420 2f76 6972 7573 2f69 6d61        .vGET./virus/ima
0x0050   6765 2e6f 7574 2048 5454 502f 312e 310d        ge.out.HTTP/1.1.
0x0060   0a55 7365 722d 4167 656e 743a 2057 6765        .User-Agent:.Wge
0x0070   742f 312e 3137 2e31 2028 6c69 6e75 782d        t/1.17.1.(linux-
0x0080   676e 7529 0d0a 4163 6365 7074 3a20 2a2f        gnu)..Accept:.*/
0x0090   2a0d 0a41 6363 6570 742d 456e 636f 6469        *..Accept-Encodi
0x00a0   6e67 3a20 6964 656e 7469 7479 0d0a 486f        ng:.identity..Ho
0x00b0   7374 3a20 3130 2e31 2e31 3030 2e31 310d        st:.10.1.100.11.
0x00c0   0a43 6f6e 6e65 6374 696f 6e3a 204b 6565        .Connection:.Kee
0x00d0   702d 416c 6976 650d 0a0d 0a                    p-Alive....

2024-04-17 20:37:11.441883 port1 -- 10.1.100.11.80 -> 172.16.200.55.43672: ack 780932616
0x0000   000c 2960 1955 8439 8ff2 9c30 0800 4500        ..)`.U.9...0..E.
0x0010   0034 7a33 4000 3e06 e03c 0a01 640b ac10        .4z3@.>..<..d...
0x0020   c837 0050 aa98 c630 de45 2e8c 1608 8010        .7.P...0.E......
0x0030   00eb 2167 0000 0101 080a 5028 a476 5025        ..!g......P(.vP%
0x0040   995f
    Previous
    Next