Technical Tip: Protocol header checking

Description

This article describes how to select the level of checking performed on packet headers.

Scope

FortiGate.

Solution

If a packet fails header checking, it is dropped by the FortiGate. The header properties checked can be configured using CLI with the following command:

config system global
    set check-protocol-header {loose | strict}
end

• loose: The default setting. When receiving a packet, FortiGate performs basic header checking to verify that a packet is part of a session and should be processed.
  Basic header checking includes verifying that the layer-4 protocol header length, the IP header length, the IP version, the IP checksum, and IP options are correct.
  
• strict: The FortiGate does the same checking as above, plus it verifies that ESP packets have the correct sequence number, SPI, and data length.
  
  

Note:

Enabling strict header checking disables all hardware acceleration on the device, including NTurbo and IPsec encryption/decryption offloading. This can have a performance impact. See the FortiSwitch v7.6.4 Hardware Acceleration Guide: Strict protocol header checking disables hardware. acceleration.