Description

This article describes how FortiGate perform TCP randomized initial sequence number by default.

Scope

FortiGate.

Solution

It is possible to check this behavior by taking packet capture at ingress and egress interface of FortiGate.

If flow-based inspection mode policy used with or without any security profile enabled, FortiGate will not randomized TCP initial sequence number by default.

# config firewall policy

    edit 3

        set name "Internet"

        set srcintf "port3"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set av-profile "default"

        set webfilter-profile "default"

        set ips-sensor "default"

        set application-list "default"

        set nat enable

    next

end  

Same sequence number noticed on ingress and egress interface.

If proxy-based inspection mode policy used, FortiGate needs at least one security profile enabled with SSL inspection to perform randomized TCP initial sequence number. 

# config firewall policy

    edit 3

        set name "Internet"

        set srcintf "port3"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set inspection-mode proxy  

        set ssl-ssh-profile "certificate-inspection"

        set av-profile "default"

        set webfilter-profile "default"

        set ips-sensor "default"

        set application-list "default"

        set nat enable

    next

   end

Randomized sequence number noticed on ingress and egress interface.

Note.

If proxy-policy is used without any security profile enabled or with only SSL inspection enabled, FortiGate uses same TCP sequence number provided by client machine.