Troubleshooting Tip: Workaround to achieve per policy level anti-replay strict in NGFW policy-based mode

When FortiGate is operating in the profile-based mode, it is possible to configure the anti-replay check in global settings as well as the per policy:

config system global
        set anti-replay ?
disable    Disable anti-replay check.
loose      Loose anti-replay check.
strict     Strict anti-replay check.
end

Or:

config firewall policy
    edit <>
       set anti-replay ?

enable     Enable anti-replay check.

disable    Disable anti-replay check.
end

However, for a FortiGate operating in policy-based mode, anti-replay checking is a global configuration only and cannot be applied per-policy, as this setting is unavailable within security-policies. As a workaround, anti-replay(strict) checks can be applied on a per-policy level by configuring the DoS policies to match traffic for specific security policies, to detect and mitigate SYN-flood and port scan protections.

Related articles:

• Technical Tip: Packet drop with error log 'replay packet(allow_err), suspicious'.
• Technical Tip: Traffic Drop caused by 'Anti-Replay Check Fails, Drop' error during a Firewall Policy configuration change
• Technical Tip: How anti-replay works and sniffer usage for testing
• Technical Tip: Anti-Replay option support per-policy
• Technical Tip: How to configure IPv4 DOS policy
• DOS policy