Description
This article describes how to configure and prevent a FortiGate from responding with TCP TimeStamp and how to identify if it is stripped.
Sometimes it is required to strip/disable the TCP TimeStamp due to the Vulnerability Scanning tools, which will report that the FortiGate unit is vulnerable with 'TCP timestamp response' if it is not disabled.
Scope
FortiGate.
Solution
TCP Options consist:
• Maximum Segment Size (MSS).
• Window Scaling.
• Selective Acknowledgements (SACK).
• Timestamps.
• NOP.
Run the following commands in CLI to disable TCP-option as below:
config system global
set tcp-option disable <-- Default value is enable.
end
Another method would be as follows:
diag sys tcp-option disable
Disabling TCP-option will strip all the options in the response except MSS.
The packet captures show when TCP-option is enabled and disabled are as follows:
Figure 1
Figure 1 shows that TCP-options (MSS, NOP, and Timestamps) are seen in the response when 'TCP-option' is enabled.
Figure 2
Figure 2 shows that all TCP-options (NOP and Timestamps) are stripped, except MSS in the response when 'TCP-option' is disabled.
** When Virtual IP (VIP) or Virtual server is scanned by the external Vulnerability Scanning tools, the TCP-options behavior depends on the corresponding firewall policy created for the respective VIP/Virtual Server.
If the firewall policy is in "proxy-based" inspection mode, replies outbound will honor the option "set tcp-option disable" and strip TCP options.
(the proxy-based policy also has to have at minimum "certificate inspection" applied or at least one of the UTM features)
If the firewall policy is in "flow-based" inspection mode, TCP options behavior depends on the mapped host of the VIP.
