DescriptionThis article describes the behavior when FortiGate NP6 setting set ipv4-proto-err drop is enabled.The NP6 will only process certain IP protocols and will drop the rest.For example, NP6 in 3700D has an accept protocol table for IPv4/IPv6 traffic.The following is the list of protocols accepted:01. HOP V6 extension [0]02. ICMP [1]03. IPV4 [4]04. TCP [6]05. UDP [17]06. IPV6 [41]07. ROUTE V6 extension[43]08. FRAG V6 extension [44]09. GRE [47]10. ESP [50]11. AH [51]12. ICMP6 [58]13. DEST V6 extension [60]14. OSPFIGP [89]15. SCTP [132]16. UDPLITE [136]Note: The numbers in the braces [] are the protocol number (ID) in decimal.SolutionFor the example:
When set ipv4-proto-err drop is enabled, the following anomaly errors will be seen when running:
diag npu np6 anomaly-drop 0
IHP0:
IHP1:
IPV4_PROTO_ERR :0000000000000016 [21] <-- HEX ID of 21 is not in the list of accepted protocols.
IHP2:
IHP3:
XHP0:
XHP1:
HTX0:
HTX1:
Note: The number in the braces are the protocol number (ID) in hexadecimal.
The result shows when an IP Packet defined as a Datagram Congestion Control Protocol is received, it is dropped because it has the HEX ID of 21 (decimal 33), which is not in the accepted protocol list.
A full list of protocol numbers are available here.
Further information is available in the following links:
