Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff

Created on ‎05-29-2020 12:33 AM

Article Id 192196

Technical Tip: FortiOS response to out-of order TCP sequence packets

Description
This articles explains tha TCP out-of order packets causes the security issues.

Solution
FortiOS uses TCP sequence checking to ensure a packet is part of a TCP session.
By default, anti-replay protection is strict, which means that if a packet is received with sequence numbers that fall out of the expected range, FortiOS drops the packet.
Strict anti-replay checking performs packet sequence checking and ICMP anti-replay checking with the following
criteria:

- The SYN, FIN, and RST bit cannot appear in the same packet.
- FortiOS does not allow more than 1 ICMP error packet to go through before it receives a normal TCP or UDP packet.
- If FortiOS receives an RST packet, FortiOS checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
- For each new session, FortiOS checks to determine if the TCP sequence number in a SYN packet has been
calculated correctly and started from the correct value.


Labels:
5195
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.