Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tonylin1
Staff
Staff

Created on ‎12-16-2019 02:50 AM Edited on ‎07-24-2023 06:49 AM By Moderator

Article Id 191428

Technical Tip: Enable tcp-session-without-syn in firewall policy

Description


This article describes how to enable tcp-session-without-syn in firewall policy with variable versions.

 

Scope

 

FortiGate.


Solution

 

In some cases, enabling TCP session without SYN on a firewall can also be used for legitimate purposes, such as allowing certain types of traffic to pass through a firewall that would otherwise be blocked. For example, some network applications use non-standard methods of establishing TCP sessions, and these may require special handling by the firewall in order to function correctly.

 

However, it's important to note that enabling TCP session without SYN on a firewall can also introduce security risks. It can make it easier for attackers to bypass the firewall's security mechanisms and gain unauthorized access to the network. As such, this technique should only be used when it's absolutely necessary, and with appropriate security measures in place to mitigate the associated risks.


1) FortiOS 5.4 and earlier:

 

config system settings
    set tcp-session-without-syn enable
end

 

2) FOS 5.6 and later:

 

config system settings
    set tcp-session-without-syn enable
end

 

When the 'tcp-session-without-syn' option is selected in system settings, it becomes accessible on individual IPv4 policies for more granular control. (On both CLI and GUI.)

 

In the CLI:

 

config firewall policy
    edit {id}
        set tcp-session-without-syn {all | data-only | disable} SYN flag.
    end

 

'all': enable TCP session without SYN.
'data-only': enable TCP session data only.
'disable': disable TCP session without SYN (default).

  • 'all': This setting allows TCP sessions to be established without the initial SYN packet for all traffic, regardless of the type of data being transmitted. This can be useful in situations where certain types of traffic use non-standard methods of establishing a TCP session.
  • 'data-only': This setting allows TCP sessions to be established without the initial SYN packet only for data packets, but not for control packets. This can be useful in situations where certain types of applications or protocols require a specific sequence of packets to establish a TCP session, and the firewall may be blocking some of these packets.

 

In the GUI:

 

akileshc_1-1676871371486.png

 


Note: This feature is available only when the firewall is set to ngfw-mode profile-based.

 

show ful sys settings | grep ngf
set ngfw-mode profile-based

 

show full-configuration | grep tcp
set tcp-session-without-syn disable

 

Related article:

Technical Note: Enable creation of TCP session on the firewall without checking for a SYN packet.

19347
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.