Description
This article describes how to enable logging for anti-replay.
Solution
FortiGate anti-replay function can detect replayed packets as described in documentation below.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/104584/replay-traffic-scenario
# config system global
set anti-replay | loose | strict | disable |
end
Debug command '# diagnose debug flow' can show the replayed flow.
id=20085 trace_id=179 msg="vd-VDOM_VLAN1 received a packet(proto=6, 10.10.253.9:10709
>10.10.248.5:25) from TO_EXTERNAL ."
id=20085 trace_id=179 msg="Find an existing session, id-00041475, original direction"
id=20085 trace_id=179 msg="replay packet, drop" <----- Drop by 'replay'.
If logging of the detected replayed packets is also required, configuration 'log-invalid-packet' can be enabled.
# config log setting
set log-invalid-packet enable <----- Default 'disable'
After this is enabled, if a replayed packet is received (such as by replaying packet below), forward traffic log will have logging of 'replay_packet(seq_check)' as shown below.
This can also increase the amount of logging displayed and loading on the system.
Also 'log-invalid-packet' will also enable logging for other types of invalid packets.
Refer to documentation of the command for details.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/442340/log-invalid-packet
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/442340/log-invalid-packet
So these factors also need to be considered when enabling 'log-invalid-packet'.
Related Articles
Technical Note: How to get log messages for packets dropped due to anti-spoofing
