FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dalten
Staff
Staff
Description
This article describes the behavior when FortiGate NP6 setting set ipv4-proto-err drop is enabled.

The NP6 will only process certain IP protocols and will drop the rest.

For example, NP6 in 3700D has an accept protocol table for IPv4/IPv6 traffic.

The following is the list of protocols accepted:

01. HOP V6 extension [0]
02. ICMP [1]
03. IPV4 [4]
04. TCP [6]
05. UDP [17]
06. IPV6 [41]
07. ROUTE V6 extension[43]
08. FRAG V6 extension [44]
09. GRE [47]
10. ESP [50]
11. AH [51]
12. ICMP6 [58]
13. DEST V6 extension [60]
14. OSPFIGP [89]
15. SCTP [132]
16. UDPLITE [136]

Note: The numbers in the braces [] are the protocol number (ID) in decimal.
Solution
For the example:

When set ipv4-proto-err drop is enabled, the following anomaly errors will be seen when running:
diag npu np6 anomaly-drop 0

IHP0:
IHP1:
IPV4_PROTO_ERR :0000000000000016 [21]                    <-- HEX
ID of 21 is not in the list of accepted protocols.
IHP2:
IHP3:
XHP0:
XHP1:
HTX0:
HTX1:
Note: The number in the braces are the protocol number (ID) in hexadecimal.

The result shows when an IP Packet defined as a Datagram Congestion Control Protocol is received, it is dropped because it has the HEX ID of 21 (decimal 33), which is not in the accepted protocol list.

A full list of protocol numbers are available here.

Further information is available in the following links:


Contributors