Offloading NP4 anomaly detection

Offloading NP4 anomaly detection

Network interfaces associated with a port attached to an NP4 processor can be configured to offload anomaly checking to the NP4 processor. This anomaly checking happens before other offloading and separately from DoS policy anomaly checking. Using the following command, each FortiGate interface can have a different anomaly checking configuration even if they are connected to the same NP4 processor.

The options available for this command apply anomaly checking for NP4 sessions in the same way as the command descrbed in Configuring individual NP6 processors on page 1215 applies anomaly checking for for NP6 sessions.


config system interface edit <port-name>

set fp-anomaly <anomalies>


where <anomalies> can be one, more than one or all of the following:


Anomaly                  Description

drop_icmp_frag         Drop ICMP fragments to pass.

drop_icmpland           Drop ICMP Land.

drop_ipland                Drop IP Land.

drop_iplsrr                  Drop IP with Loose Source Record Route option.

drop_iprr                    Drop IP with Record Route option.

drop_ipsecurity          Drop IP with Security option.

drop_ipssrr                 Drop IP with Strict Source Record Route option.

drop_ipstream            Drop IP with Stream option.

drop_iptimestamp     Drop IP with Timestamp option.


Anomaly                  Description



Drop IP with malformed option.




Drop IP with Unknown protocol.

Drop TCP FIN with no ACT flag set to pass.

drop_tcp_no_flag       Drop TCP with no flag set to pass.

drop_tcpland              Drop TCP Land.

drop_udpland             Drop UDP Land.

drop_winnuke            Drop TCP WinNuke.

pass_icmp_frag         Allow ICMP fragments to pass.

pass_icmpland           Allow ICMP Land to pass.

pass_ipland               Allow IP land to pass.

pass_iplsrr                 Allow IP with Loose Source Record Route option to pass.

pass_iprr                    Allow IP with Record Route option to pass.

pass_ipsecurity          Allow IP with Security option to pass.

pass_ipssrr                 Allow IP with Strict Source Record Route option to pass.

pass_ipstream           Allow IP with Stream option to pass.

pass_iptimestamp     Allow IP with Timestamp option to pass.



Allow IP with malformed option to pass.





Allow IP with Unknown protocol to pass.

Allow TCP FIN with no ACT flag set to pass.

pass_tcp_no_flag      Allow TCP with no flag set to pass.


Anomaly                  Description

pass_tcpland             Allow TCP Land to pass.

pass_udpland            Allow UDP Land to pass.

pass_winnuke            Allow TCP WinNuke to pass.


You might configure an NP4 to drop packets with TCP WinNuke or unknown IP protocol anomalies, but to pass packets with an IP time stamp, using hardware acceleration provided by the network processor.

config system interface edit port1

set fp-anomaly drop_winnuke drop_ipunknown_prot pass_iptimestamp end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos