Description
This article describes the Anti-Replay option per-policy.
For information, please refer to:
1) Fortinet Documentation here.
2) How anti-replay works and sniffer usage for testing here.
3) Replay traffic scenario here.
4) Configure packet replay and TCP sequence checking here.
Solution
When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets.
config system global
set anti-replay {disable | loose | strict} <-- Level of checking for packet replay and TCP sequence checking.
end
The following are the explanation for every available option in set anti-replay:
disable Disable anti-replay check.
loose Loose anti-replay check.
strict Strict anti-replay check.
This feature adds a per policy anti-replay option that overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.
This is useful when you need more granular control for specific traffic does not require for TCP flags checking.
config firewall policy
edit x
set anti-replay {enable | disable} <-- Enable/disable anti-replay check. Default is enabled
next
end
Note: The default configuration of anti-replay is enabled
It is possible to see below the error message in debug flow when anti-replay is enabled:
2021-06-16 08:56:19 id=20085 trace_id=1033 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 192.168.35.109:64154->192.168.36.5:22) from port1. flag [.], seq 4057395850, ack 800443321, win 1029"
2021-06-16 08:56:19 id=20085 trace_id=1033 func=resolve_ip_tuple_fast line=5702 msg="Find an existing session, id-00296aae, original direction"
2021-06-16 08:56:19 id=20085 trace_id=1033 func=tcp_anti_reply line=1025 msg="org dir, ack in state syn_sent, suspicious"
2021-06-16 08:56:19 id=20085 trace_id=1033 func=ip_session_core_in line=6307 msg="anti-replay check fails, drop"
