Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
goodfortinet
New Contributor

Created on ‎04-24-2024 08:50 PM Edited on ‎04-24-2024 08:51 PM

what "This can be a challenge ack packet" mean and why "anti-replay" Config does not take effect

When I visit https://219.148.36.28, due to anti-ddos device protection, the website always responds with an incorrect syn+ack for the first time. If the client can respond with rst, it is considered normal. 

When I was in the company, the fortigate version was 4.0. When foritgate received the wrong syn+ack packet, fortigate would discard the packet.

 

Now I set up an environment to test the“ anti-relay” function,Refer to the cli manual description. When anti-replay is set to strict, syn+ack packets with incorrect sequence numbers should be drop. However, when I tested, fortigate did not drop the wrong syn+ack packets,but forward this packet . Why don not drop the wrong seq packet? I debugged and saw that there was a debug saying This can be a challenge ack packet. What does this mean?

1. My topology is as follows

top.png

2. debug info

this challenge ack packet.png

3. fortigate sniff

wrong rst.png

4. config system global ,set anti-replay strict

anti-relay-global.png

5. firewall policy ,set anti-relay enable

anti-replay policy.png

 

6. only how one firewall policy

policys.png

 

Labels:
441
0 Kudos
1 Solution
smaruvala
Staff
Staff

Created on ‎04-24-2024 11:57 PM

Hi,

 

This is TCP Challenge ACK scenario. In Challenge ACK the client sends the SYN packet and Server will send the "ACK" Packet. If you see the screenshot which you attached it we don't have the SYN Flag set. Hence the Firewall is considering this as a challenge ACK. Challenge ACK is something deinfed in the RFC and those packets needs to be allowed. 

https://datatracker.ietf.org/doc/html/rfc5961

After the challenge ACK the client will send the RST packet and close the connection and then start a new one.

 

Regards,

Shiva

View solution in original post

393
7 REPLIES 7
Bjay_Prakash_Ghising
Contributor

Created on ‎04-24-2024 09:17 PM Edited on ‎04-24-2024 09:28 PM

hi @goodfortinet 

 

Note that the anti-replay setting only affects non-accelerated traffic. So disable offloading in the firewall policy.

 

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/168164/blocking-external-probes

 

If logging of the detected replayed packets is also required, configuration 'log-invalid-packet' can be enabled.

 

# config log setting
set log-invalid-packet enable

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Logging-for-replayed-packets/ta-p/196081

 

Hope that helps, 

 

Kind Regards, 

Bijay Prakash Ghising

Ghising
Ghising
423
goodfortinet
New Contributor
In response to Bjay_Prakash_Ghising

Created on ‎04-24-2024 11:30 PM

 

thank you for your answer , i disable offloading in the firewall policy, but fortigate still forward the wrong syn+ack to internal client.

still.png

399
0 Kudos
smaruvala
Staff
Staff

Created on ‎04-24-2024 11:57 PM

Hi,

 

This is TCP Challenge ACK scenario. In Challenge ACK the client sends the SYN packet and Server will send the "ACK" Packet. If you see the screenshot which you attached it we don't have the SYN Flag set. Hence the Firewall is considering this as a challenge ACK. Challenge ACK is something deinfed in the RFC and those packets needs to be allowed. 

https://datatracker.ietf.org/doc/html/rfc5961

After the challenge ACK the client will send the RST packet and close the connection and then start a new one.

 

Regards,

Shiva

394
goodfortinet
New Contributor
In response to smaruvala

Created on ‎04-25-2024 02:27 AM

thank you , i get it.

345
0 Kudos
goodfortinet
New Contributor

Created on ‎04-25-2024 02:26 AM

thank you , i get it.

348
0 Kudos
pminarik
Staff
Staff

Created on ‎04-25-2024 02:48 AM

Challenge-ACK is supported by FortiOS and correctly forwarded to clients since versions  6.0.13 / 6.2.10 / 6.4.6 / 7.0.2 .

 

https://docs.fortinet.com/document/fortigate/7.0.2/fortios-release-notes/289806/resolved-issues

644225 - Challenge ACK is being dropped.

[ corrections always welcome ]
338
goodfortinet
New Contributor
In response to pminarik

Created on ‎04-25-2024 06:48 PM

thank you

292
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.