FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cborgato_FTNT
Article Id 194652
Description
The following article shows some of the NPU diagnostics options for models with NP4 or NP6 network processors.

NP6 also has configurable options that therefore remain after a reboot (unlike most diagnostic options).

Scope


Solution
The following output is for FortiOS 5.0. 

NP4 options:

FGT # diagnose npu np4

list            Display all NP4 devices
fastpath        Configure fastpath
load-balance    Configure load balance
stats           View NP4 device stats
register        View NP4 registers
pdq             View NP4 queue stats
dce             View NP4 drop table
dce-reset       Clear NP4 drop table
flowtrace       Configure NP4 flow trace
eeprom-read     Read NP4 EEPROM
elbc-bind       Bind ELBC interface to VLAN


NP6 options:

FGT37xxx # diagnose npu np6

anomaly-drop           Show non-zero L3/L4 anomaly check drop counters.
anomaly-drop-all       Show all L3/L4 anomaly check drop counters.
dce                    Show non-zero subengine drop counters.
dce-all                Show all subengine drop counters.
debug-console          Access debug console
eeprom-read            Read NP6 EEPROM
fastpath               Configure fastpath
hrx-drop               Show non-zero host interface drop counters.
hrx-drop-all           Show all host interface drop counters.
ipsec-stats            Show IPsec offloading statistics
ipsec-stats-clear      Clear IPsec offloading statistics
npu-feature            Show NPU feature and status
pdq                    Show packet buffer queue counters
phy-debug              Enable/disable PHY debug
port-list              Show port list
register               Show NP6 registers
session-stats          Show session offloading statistics counters
session-stats-clear    Clear sesssion offloading statistics counters
sse-stats              Show hardware session statistics counters
sse-stats-clear        Show hardware session statistics counters
xgmac-stats            Show XGMAC MIBs counters
xgmac-stats-clear      Clear XGMAC MIBS counters


Moreover there is a specific NP6 system configuration:

FGT37xxx # config system np6
FGT37xxx (np6) # edit np6_0
FGT37xxx (np6_0) # get
name                : np6_0
fastpath            : enable
low-latency-mode    : disable
per-session-accounting: disable
garbage-session-collector: disable
session-collector-interval: 8
session-timeout-interval: 40
session-timeout-random-range: 8
session-timeout-fixed: disable
fp-anomaly-v4:
    tcp-syn-fin         : allow
    tcp-fin-noack       : trap-to-host
    tcp-fin-only        : trap-to-host
    tcp-no-flag         : allow
    tcp-syn-data        : allow
    tcp-winnuke         : trap-to-host
    tcp-land            : trap-to-host
    udp-land            : trap-to-host
    icmp-land           : trap-to-host
    icmp-frag           : allow
    ipv4-land           : trap-to-host
    ipv4-proto-err      : trap-to-host
    ipv4-unknopt        : trap-to-host
    ipv4-optrr          : trap-to-host
    ipv4-optssrr        : trap-to-host
    ipv4-optlsrr        : trap-to-host
    ipv4-optstream      : trap-to-host
    ipv4-optsecurity    : trap-to-host
    ipv4-opttimestamp   : trap-to-host
fp-anomaly-v6:
    ipv6-land           : trap-to-host
    ipv6-proto-err      : trap-to-host
    ipv6-unknopt        : trap-to-host
    ipv6-saddr-err      : trap-to-host
    ipv6-daddr-err      : trap-to-host
    ipv6-optralert      : trap-to-host
    ipv6-optjumbo       : trap-to-host
    ipv6-opttunnel      : trap-to-host
    ipv6-opthomeaddr    : trap-to-host
    ipv6-optnsap        : trap-to-host
    ipv6-optendpid      : trap-to-host
    ipv6-optinvld       : trap-to-host

The following output is for FortiOS 5.2.2:

fw1 # diag npu np6
fastpath                 Configure fastpath
dce                      Show non-zero subengine drop counters.
dce-all                  Show all subengine drop counters.
anomaly-drop             Show non-zero L3/L4 anomaly check drop counters.
anomaly-drop-all         Show all L3/L4 anomaly check drop counters.
hrx-drop                 Show non-zero host interface drop counters.
hrx-drop-all             Show all host interface drop counters.
session-stats            Show session offloading statistics counters
session-stats-clear      Clear sesssion offloading statistics counters
sse-stats                Show hardware session statistics counters
sse-stats-clear          Show hardware session statistics counters
pdq                      Show packet buffer queue counters
xgmac-stats              Show XGMAC MIBs counters
xgmac-stats-clear        Clear XGMAC MIBS counters
gmac-stats               Show GMAC MIBs counters
gmac-stats-clear         Clear GMAC MIBS counters
gige-port-stats          Show GIGE PORT MIBs counters
gige-port-stats-clear    Clear GIGE PORT MIBs counters
port-list                Show port list
ipsec-stats              Show IPsec offloading statistics
ipsec-stats-clear        Clear IPsec offloading statistics
eeprom-read              Read NP6 EEPROM
npu-feature              Show NPU feature and status
register                 Show NP6 registers
debug                    general debug

fw1 # config system np6

fw1 (np6) # edit
name    Device Name.
np6_0
np6_1

fw1 (np6) # edit np6_0

fw1 (np6_0) # set
fastpath                        Enable/disable fast path.
per-session-accounting          Per-session accounting.
garbage-session-collector       Garbage session collector.
session-collector-interval      Garbage session collection clean-up interval(1 - 100 sec, default 64).
session-timeout-interval        NPU session timeout interval(0 - 1000 sec, default 40).
session-timeout-random-range    NPU session timeout randomization range(0 - 1000 sec, default 8).
session-timeout-fixed           NPU session timeout at fixed intervals.


Contributors