Offloading NP4 anomaly detection
Network interfaces associated with a port attached to an NP4 processor can be configured to offload anomaly checking to the NP4 processor. This anomaly checking happens before other offloading and separately from DoS policy anomaly checking. Using the following command, each FortiGate interface can have a different anomaly checking configuration even if they are connected to the same NP4 processor.
The options available for this command apply anomaly checking for NP4 sessions in the same way as the command descrbed in Configuring individual NP6 processors on page 1215 applies anomaly checking for for NP6 sessions.
config system interface edit <port-name>
set fp-anomaly <anomalies>
where <anomalies> can be one, more than one or all of the following:
drop_icmp_frag Drop ICMP fragments to pass.
drop_icmpland Drop ICMP Land.
drop_ipland Drop IP Land.
drop_iplsrr Drop IP with Loose Source Record Route option.
drop_iprr Drop IP with Record Route option.
drop_ipsecurity Drop IP with Security option.
drop_ipssrr Drop IP with Strict Source Record Route option.
drop_ipstream Drop IP with Stream option.
drop_iptimestamp Drop IP with Timestamp option.
Drop IP with malformed option.
Drop IP with Unknown protocol.
Drop TCP FIN with no ACT flag set to pass.
drop_tcp_no_flag Drop TCP with no flag set to pass.
drop_tcpland Drop TCP Land.
drop_udpland Drop UDP Land.
drop_winnuke Drop TCP WinNuke.
pass_icmp_frag Allow ICMP fragments to pass.
pass_icmpland Allow ICMP Land to pass.
pass_ipland Allow IP land to pass.
pass_iplsrr Allow IP with Loose Source Record Route option to pass.
pass_iprr Allow IP with Record Route option to pass.
pass_ipsecurity Allow IP with Security option to pass.
pass_ipssrr Allow IP with Strict Source Record Route option to pass.
pass_ipstream Allow IP with Stream option to pass.
pass_iptimestamp Allow IP with Timestamp option to pass.
Allow IP with malformed option to pass.
Allow IP with Unknown protocol to pass.
Allow TCP FIN with no ACT flag set to pass.
pass_tcp_no_flag Allow TCP with no flag set to pass.
pass_tcpland Allow TCP Land to pass.
pass_udpland Allow UDP Land to pass.
pass_winnuke Allow TCP WinNuke to pass.
You might configure an NP4 to drop packets with TCP WinNuke or unknown IP protocol anomalies, but to pass packets with an IP time stamp, using hardware acceleration provided by the network processor.
config system interface edit port1
set fp-anomaly drop_winnuke drop_ipunknown_prot pass_iptimestamp end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU