Description
This article describes how FortiGate perform TCP randomized initial sequence number by default.
Scope
FortiGate.
Solution
It is possible to check this behavior by taking packet capture at ingress and egress interface of FortiGate.
If flow-based inspection mode policy used with or without any security profile enabled, FortiGate will not randomized TCP initial sequence number by default.
# config firewall policy
edit 3
set name "Internet"
set srcintf "port3"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set nat enable
next
end
Same sequence number noticed on ingress and egress interface.
If proxy-based inspection mode policy used, FortiGate needs at least one security profile enabled with SSL inspection to perform randomized TCP initial sequence number.
# config firewall policy
edit 3
set name "Internet"
set srcintf "port3"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set nat enable
next
end
Randomized sequence number noticed on ingress and egress interface.
Note.
If proxy-policy is used without any security profile enabled or with only SSL inspection enabled, FortiGate uses same TCP sequence number provided by client machine.
