Troubleshooting Tip: FortiGate does not reply with TCP RST when 'set send-deny-packet' is enabled

Description

This article describes how to control on how the FortiGate should reply to firewall policies with 'set send-deny-packet' is enabled, TCP RST flag or ICMP Unreachable.

Scope

FortiGate.

Solution

When a firewall policy is configured with the feature 'set send-deny-packet enabled'. By default, TCP RST flag (reset) will be sent for traffic matching a deny policy instead of silently dropping the packet.

Checking packet capture, no TCP RST is being sent back from FortiGate, and the connection time out after some time.

This is due to the command 'set deny-tcp-with-icmp' being enabled under 'config system settings'. 

Disable that option and try to re-connect. This time. TCP RST packet is sent and the connection is refused instead of a time out/drop.

 
It is worth noting that UDP traffic matched such a policy, will always reply with ICMP unreachable and is unaffected by the global change.

Another consideration to note is that, as of right now, the setting is global. This means it will affect the entire device or a specific VDOM if enabled.

Related articles:

• Technical Tip: Block-notification replacement message with 'Deny' policy 

• Packet Capture on FortiOS GUI - Fortinet Community