Chapter 12 – Hardware Acceleration

config fp-anomaly-v4

 

 

fp-anomaly-v4

an attack or forward the packets that are associated with the attack to FortiOS (called “trap-to-host”). Selecting “trap-to-host” turns off NP6 anomaly pro- tection for that anomaly. If you require anomaly pro- tection you can enable it with a DoS policy.  
 

icmp-frag {allow trap-to-host}

 

|

 

drop

 

|

 

Detects Layer 3 fragmented packets that could be part of a layer 4 ICMP anomalies.

 

allow

 

Configure how the NP6 processor does IPv4 traffic anomaly protection. You can configure the NP6 pro- cessor to allow or drop the packets associated with

icmp-land {allow | drop |

trap-to-host}

Detects ICMP land anomalies.                                      trap-to-host

ipv4-land {allow | drop |

trap-to-host}

Detects IPv4 land anomalies.                                        trap-to-host

ipv4-optlsrr {allow |

drop | trap-to-host}

Detects IPv4 with loose source record route option anomalies.

trap-to-host

ipv4-optrr {allow | drop

| trap-to-host}

ipv4-optsecurity {allow |

drop | trap-to-host}

Detects IPv4 with record route option anomalies.          trap-to-host

Detects security option anomalies.                                trap-to-host

ipv4-optssrr {allow |

drop | trap-to-host}

Detects IPv4 with strict source record route option anomalies.

trap-to-host

ipv4-optstream {allow |

drop | trap-to-host}

Detects stream option anomalies.                                 trap-to-host

ipv4-opttimestamp {allow

| drop | trap-to-host}

ipv4-proto-err {allow |

drop | trap-to-host}

Detects timestamp option anomalies.                           trap-to-host

Detects invalid layer 4 protocol anomalies.                    trap-to-host

ipv4-unknopt {allow |

drop | trap-to-host}

Detects unknown option anomalies.                              trap-to-host

 

Command                                        Description                                                               Default

tcp-land {allow | drop |

trap-to-host}

Detects TCP land anomalies.                                        trap-to-host

tcp-syn-fin {allow | drop

| trap-to-host}

tcp-winnuke {allow | drop

| trap-to-host}

Detects TCP SYN flood SYN/FIN flag set anomalies.    allow

Detects TCP WinNuke anomalies.                                 trap-to-host

tcp_fin_noack {allow |

drop | trap-to-host}

tcp_fin_only {allow |

drop | trap-to-host}

Detects TCP SYN flood with FIN flag set without

ACK setting anomalies.

Detects TCP SYN flood with only FIN flag set anom- alies. trap-to-host

trap-to-host

tcp_no_flag {allow | drop

| trap-to-host}

Detects TCP SYN flood with no flag set anomalies.      allow

tcp_syn_data {allow |

drop | trap-to-host}

Detects TCP SYN flood packets with data anom- alies.

allow
udp-land {allow | drop |

trap-to-host}

Detects UDP land anomalies.                                        trap-to-host

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.