FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to analyze TCP RST (Reset) packets in Wireshark.
It is not possible to access RDP for whole network.
Always perform packet capture for TCP connection and review it on Wireshark.
Start by selecting the RST packet in the packet capture and 'right-clicking' it. Choose 'Conversation filter' and then select TCP. This filters the packets for the selected conversation to aid in troubleshooting.
In the packet capture, it is possible to observe that the client sends an SYN packet for the TCP handshake but receives an RST packet from the server.
To further investigate the source of the RST packet, focus on the IP header. It is expanding the IP header data portion in Wireshark to access the TTL (Time To Live) value.
Typically, TTL values are 255, 168, and 64, among others. These values represent the number of hops a packet can make before being discarded. In this case, a TTL value of 64 indicates that the packet was not routed, as it didn't decrement during hops.
Analyze the layer-2 header and identify the source MAC address. From the source MAC address, it is determined that the FortiGate firewall is responsible for sending the RST packet.
By disabling the specific rule, it was possible to resolve the issue, and subsequent access to the RDP (Remote Desktop Protocol) was established without any problems.
This detailed analysis highlights the process followed to identify the source of the RST packet and its resolution.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.