Technical Tip: How anti-replay works and sniffer usage for testing

mbanica · ‎03-18-2015

Description

This article describes how anti-replay works, when it is good to enable, set to lose, or disable this mechanism. It also explains how to configure the sniffer correctly.

Scope

FortiGate.

Solution

FortiGate units use TCP sequence checking to make sure that a segment is part of a TCP session. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. This is normally a desired behavior since it means that the packet is invalid or duplicated.

The default is strict.

The anti-replay protection can be set to any of the following values:

disable — No anti-replay protection. Susceptible to SYN floods.
loose — Perform packet sequence checking and ICMP anti-replay checking with the following criteria:

The SYN, FIN, and RST bit can not appear in the same packet.
The FortiGate unit does not allow more than one ICMP error packet through before it receives a normal TCP or UDP packet.
If the FortiGate unit receives an RST packet, and check-reset-range is set to strict, the FortiGate unit checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.

strict — Performs all of the loose checking but for each new session also checks to determine of the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value for each new session. Strict anti-replay checking can also help prevent SYN flooding. If any packet fails a check it is dropped.

Packets can be replayed due to network congestion.

Configuration CLI.

FGT # config system global

FGT (global) # set anti-replay ?
disable    Disable anti-replay check.
loose      Loose anti-replay check.
strict     Strict anti-replay check.
FGT (global) # end

The anti-replay protection can be used in the IPsec tunnel for ESP packets.
Replay detection allows the FortiGate to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the FortiGate discards them.

Configuration CLI.

FGT # config vpn ipsec phase2-interface
edit <NAME>
FGT <NAME> # set replay ?
enable Enable setting.
disable Disable setting.

Before running a sniffer to capture packets and check for replayed packets, if the unit supports offloading to hardware, make sure that offloading is disabled before testing. Offloaded packets to NP (Network Processor) or SP are not visible in the sniffer or debug.

How to check if a device has NP:

FGT # get hardware nic *port name*

Example:

get hardware nic wan1

How to disable offloading for testing purposes:

FGT # config firewall policy
FGT (policy) # edit *ID number* (not Sequence)
FGT (1) # set auto-asic-offload disable
FGT (1) # next
FGT (policy) # end

Sniffer with verbose 6 can be converted into a PCAP file and analyzed in Wireshark:

FGT # diagnose sniffer packet any "host x.x.x.x" 6 0 a

'any' can be replaced with any port to observe traffic on a particular interface. It is possible to filter by the host (192.168.1.1), port number (port 21), protocol (ICMP, TCP, UDP, esp, arp, etc.), or network (net 192.168.0/24).

Sniffer with verbose 4 shows only the Data link, Network, and Transport layer:

FGT # diag sniffer packet any "arp" 4 0 a
interfaces=[any]
filters=[arp]
2015-02-18 09:33:55.487775 wan1 in arp who-has 10.108.17.23 tell 10.108.16.103
2015-02-18 09:33:56.469167 wan1 in arp who-has 10.108.17.23 tell 10.108.16.147
2015-02-18 09:33:57.363082 wan1 in arp who-has 10.108.17.33 tell 10.108.16.133
2015-02-18 09:33:57.449085 wan1 in arp who-has 10.108.17.73 tell 10.108.16.75
2015-02-18 09:33:58.197367 wan1 in arp who-has 10.108.18.78 tell 10.108.16.52
2015-02-18 09:33:58.328193 wan1 in arp who-has 10.108.19.254 tell 10.108.18.31

Technical Tip: How anti-replay works and sniffer usage for testing

You are leaving our website