FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191435


This article describes the Anti-Replay option per-policy.

For information, please refer to:
1) Fortinet Documentation here.
2) How anti-replay works and sniffer usage for testing here.
3) Replay traffic scenario here.

4) Configure packet replay and TCP sequence checking here.


When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets.


config system global
    set anti-replay {disable | loose | strict}          <-- Level of checking for packet replay and TCP sequence checking.

The following are the explanation for every available option in set anti-replay:

disable    Disable anti-replay check.

loose      Loose anti-replay check.
strict     Strict anti-replay check.

This feature adds a per policy anti-replay option that overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.

This is useful when you need more granular control for specific traffic does not require for TCP flags checking.

config firewall policy
    edit x
        set anti-replay {enable | disable}           <-- Enable/disable anti-replay check. Default is enabled

Note: The default configuration of anti-replay is enabled

It is possible to see below the error message in debug flow when anti-replay is enabled:


2021-06-16 08:56:19 id=20085 trace_id=1033 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6,> from port1. flag [.], seq 4057395850, ack 800443321, win 1029"

2021-06-16 08:56:19 id=20085 trace_id=1033 func=resolve_ip_tuple_fast line=5702 msg="Find an existing session, id-00296aae, original direction"

2021-06-16 08:56:19 id=20085 trace_id=1033 func=tcp_anti_reply line=1025 msg="org dir, ack in state syn_sent, suspicious"

2021-06-16 08:56:19 id=20085 trace_id=1033 func=ip_session_core_in line=6307 msg="anti-replay check fails, drop"