FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aalrefai
Staff
Staff
Article Id 393268
Description

 

This article describes a situation where a packet with a checksum bit set to '1' due to an invalid checksum, the only action is to drop it by NP7.

 

Scope

 

FortiOS with NP7.

 

Solution

 

In certain situations when the traffic gets altered while traversing, which would result in an expected change in the checksum, in this situation NP7 would 'drop' the packet that should be expected to pass instead.

In the example below, GRE traffic was encrypted by an encryption device after the Firewall, the return packet with an invalid checksum is getting dropped as below:

 

FW (global) # diagnose npu np7 dce-drop-all 0 1

<HTX drop counters>

[NP7_0]
Counter HTX_0 HTX_1 HTX_2 HTX_3 Total
------------------------- ---------- ---------- ---------- ---------- ------------
[41]gre_csum 131263 0 21339 109791 262393

 


<HTX drop counters>

[NP7_0]
Counter HTX_0 HTX_1 HTX_2 HTX_3 Total
------------------------- ---------- ---------- ---------- ---------- ------------
[41]gre_csum 131269 0 21341 109791 262401

 

 

  • Sniffer's showing invalid checksum:

 

Generic Routing Encapsulation (0x5EDB - unknown)
    Flags and Version: 0xffd1
    Protocol Type: Unknown (0x5edb)
    Checksum: 0x9b41 incorrect, should be 0x99c5
        [Expert Info (Warning/Protocol): Incorrect GRE Checksum [should be 0x99c5]]
    [Checksum Status: Bad]


FW(global) # diagnose npu np7 dce-drop-all 1
<EIF drop counters>

[NP7_1]
Counter EIF_0 EIF_1 EIF_2 EIF_3 EIF_4 EIF_5 EIF_6 EIF_7 Total
------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------
[41]gre_csum 0 0 0 0 3 10 4 5 22
------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------
Total_drop : 22

 

  • New CLI commands are introduced in FortiOS v7.4.9 and v7.6.3 as below:

 

config system npu
    config fp-anomaly
        set gre-csum-err
        allow Allow IPv4 invalid GRE checksum.
        drop Drop IPv4 invalid GRE checksum.
        trap-to-host Forward IPv4 invalid GRE checksum to main CPU for processing.