During penetration testing, you may encounter a system that is using a firewall and an IDS to protect the system. If you just use the default settings, your action may get detected or you may not get the correct result from Nmap. The following options may be used to help you evade the firewall/IDS:

• -f (fragment packets): The purpose of this option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or fewer after the IP header.
• --mtu: With this option, you can specify your own packet-size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight, or Nmap will give an error and exit.
• -D (decoy): By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the log files. The user IP address is still in the logs. You can use RND to generate a random IP address, or RND:number to generate the <number> IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that, by using many decoys, you can cause network congestion, so you may want to avoid that, especially if you are scanning your client's network.
• --source-port <portnumber> or -g (spoof source port): This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.
• --data-length: This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.
• --max-parallelism: This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.
• --scan-delay <time>: This option can be used to evade an IDS/IPS that uses a threshold to detect port-scanning activity.