Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff

Created on ‎05-29-2020 12:33 AM Edited on ‎08-12-2025 10:57 PM By Community Manager

Article Id 192196

Technical Tip: FortiOS response to out-of order TCP sequence packets

Description

 

This article explains that TCP out-of order packets cause security issues.

 

Scope

 

FortiGate.

Solution


FortiOS uses TCP sequence checking to ensure a packet is part of a TCP session.
By default, anti-replay protection is strict, which means that if a packet is received with sequence numbers that fall out of the expected range, FortiOS drops the packet.

 

The discarded packets may be logged with the following message in the Forward Traffic Log: ' replay packet(seq_check), suspicious'. 

 

Strict anti-replay checking performs packet sequence checking and ICMP anti-replay checking with the following
criteria:

  • The SYN, FIN, and RST bits cannot appear in the same packet.
  • FortiOS does not allow more than 1 ICMP error packet to go through before it receives a normal TCP or UDP packet.
  • If FortiOS receives an RST packet, FortiOS checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
  • For each new session, FortiOS checks to determine if the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value.
Labels:
7344
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.