Hi Guys,
Is there any chance to enable `timeout-sent-rst` globaly? Not only for specific policies. I am asking because we have zone containing lot of interfaces. And we don't have rules between them as there is `intrazone allow` configured.
http://kb.fortinet.com/kb....do?externalID=FD35049
It's FortiGate-600D.
Many thanks.
Daniel
config system global
set reset-sessionless-tcp enable
end
Explanation of the CLI guide
The reset-sessionless-tcp command determines what action the FortiGate unit performs if it receives a TCP packet but cannot find a corresponding session in its session table. This happens most often because the session has timed out. In most cases you should leave reset-sessionless-tcp set to disable (the default). When this command is set to disable, the FortiGate unit silently drops the packet. The packet originator does not know that the session has expired and might re-transmit the packet several times before attempting to start a new session. Enabling this option may help resolve issues with a problematic server, but it can make the FortiGate unit more vulnerable to denial of service attacks. If you enable reset-sessionless-tcp , the FortiGate unit sends a RESET packet to the packet originator. The packet originator ends the current ses- sion, but it can try to establish a new session. Available in NAT/Route mode only. Default is disable.
I have never used this before, but it's maybe what you need. Please read carefully and understand the side effects of this setting.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
