Offloading NP4 anomaly detection

Offloading NP4 anomaly detection

Network interfaces associated with a port attached to an NP4 processor can be configured to offload anomaly checking to the NP4 processor. This anomaly checking happens before other offloading and separately from DoS policy anomaly checking. Using the following command, each FortiGate interface can have a different anomaly checking configuration even if they are connected to the same NP4 processor.

The options available for this command apply anomaly checking for NP4 sessions in the same way as the command descrbed in Configuring individual NP6 processors on page 1215 applies anomaly checking for for NP6 sessions.


config system interface edit <port-name>

set fp-anomaly <anomalies>


where <anomalies> can be one, more than one or all of the following:


Anomaly                  Description

drop_icmp_frag         Drop ICMP fragments to pass.

drop_icmpland           Drop ICMP Land.

drop_ipland                Drop IP Land.

drop_iplsrr                  Drop IP with Loose Source Record Route option.

drop_iprr                    Drop IP with Record Route option.

drop_ipsecurity          Drop IP with Security option.

drop_ipssrr                 Drop IP with Strict Source Record Route option.

drop_ipstream            Drop IP with Stream option.

drop_iptimestamp     Drop IP with Timestamp option.


Anomaly                  Description



Drop IP with malformed option.




Drop IP with Unknown protocol.

Drop TCP FIN with no ACT flag set to pass.

drop_tcp_no_flag       Drop TCP with no flag set to pass.

drop_tcpland              Drop TCP Land.

drop_udpland             Drop UDP Land.

drop_winnuke            Drop TCP WinNuke.

pass_icmp_frag         Allow ICMP fragments to pass.

pass_icmpland           Allow ICMP Land to pass.

pass_ipland               Allow IP land to pass.

pass_iplsrr                 Allow IP with Loose Source Record Route option to pass.

pass_iprr                    Allow IP with Record Route option to pass.

pass_ipsecurity          Allow IP with Security option to pass.

pass_ipssrr                 Allow IP with Strict Source Record Route option to pass.

pass_ipstream           Allow IP with Stream option to pass.

pass_iptimestamp     Allow IP with Timestamp option to pass.



Allow IP with malformed option to pass.





Allow IP with Unknown protocol to pass.

Allow TCP FIN with no ACT flag set to pass.

pass_tcp_no_flag      Allow TCP with no flag set to pass.


Anomaly                  Description

pass_tcpland             Allow TCP Land to pass.

pass_udpland            Allow UDP Land to pass.

pass_winnuke            Allow TCP WinNuke to pass.


You might configure an NP4 to drop packets with TCP WinNuke or unknown IP protocol anomalies, but to pass packets with an IP time stamp, using hardware acceleration provided by the network processor.

config system interface edit port1

set fp-anomaly drop_winnuke drop_ipunknown_prot pass_iptimestamp end


This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.