Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Anti-replay per policy when FortiGa...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes anti-replay option available per policy.
Related link:
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/519101/expanding-fabric-family
Solution
When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. This feature adds a per policy anti-replay option that overrides the global setting. This allows you to control whether or not TCP flags are checked per policy. In this example, a policy is created with the anti-replay option enabled so that TCP flags are checked:
This feature is not applicable when the device is set to policy mode.
All the available options per policy having FortiGate in policy mode are shown below and it does not include anti-replay settings:
When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The default is strict.
This article describes anti-replay option available per policy.
Related link:
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/519101/expanding-fabric-family
Solution
When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. This feature adds a per policy anti-replay option that overrides the global setting. This allows you to control whether or not TCP flags are checked per policy. In this example, a policy is created with the anti-replay option enabled so that TCP flags are checked:
# config firewall policyNote that the above option is only available when the firewall is set to profile mode.
edit 1
set name "policyid-1"
set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set anti-replay enable
set logtraffic all
set nat enable
next
end
This feature is not applicable when the device is set to policy mode.
All the available options per policy having FortiGate in policy mode are shown below and it does not include anti-replay settings:
# config firewall consolidated policyWhen the unit is set to profile mode, the only available option is to change anti-replay settings globally.
edit 1
set status enable
set name "test"
set uuid c64653e4-53b2-51ea-68fd-b11529dd97ec
set srcintf "port1"
set dstintf "port2"
set srcaddr4 "all"
set dstaddr4 "all"
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set internet-service disable
set internet-service-src disable
set service "ALL"
set ssl-ssh-profile "no-inspection"
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set session-ttl 0
set comments ''
next
end
When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The default is strict.
# config system global
set anti-replay {disable | loose | strict} <----- Level of checking for packet replay and TCP sequence checking.
end
Related Articles
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.