Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rarora
Staff
Staff

Created on ‎02-20-2020 02:21 AM

Article Id 196391

Technical Tip: Anti-replay per policy when FortiGate is in profile mode

Description
This article describes anti-replay option available per policy.

Related link:

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/519101/expanding-fabric-family

Solution
When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. This feature adds a per policy anti-replay option that overrides the global setting. This allows you to control whether or not TCP flags are checked per policy. In this example, a policy is created with the anti-replay option enabled so that TCP flags are checked:
# config firewall policy
    edit 1
        set name "policyid-1"
        set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set anti-replay enable
        set logtraffic all
        set nat enable
    next
end
Note that the above option is only available when the firewall is set to profile mode.
This feature is not applicable when the device is set to policy mode.

All the available options per policy having FortiGate in policy mode are shown below and it does not include anti-replay settings:
# config firewall consolidated policy
    edit 1
        set status enable
        set name "test"
        set uuid c64653e4-53b2-51ea-68fd-b11529dd97ec
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr4 "all"
        set dstaddr4 "all"
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set internet-service disable
        set internet-service-src disable
        set service "ALL"
        set ssl-ssh-profile "no-inspection"
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set session-ttl 0
        set comments ''
    next
end
When the unit is set to profile mode, the only available option is to change anti-replay settings globally.

When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The default is strict.
# config system global
    set anti-replay {disable | loose | strict}          <----- Level of checking for packet replay and TCP sequence checking.
end

Related Articles

Technical Tip: Anti-Replay option support per-policy

Labels:
3390
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.