FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196081

This article describes how to enable logging for anti-replay.

FortiGate anti-replay function can detect replayed packets as described in documentation below.

# config system global
    set anti-replay | loose | strict | disable |

Debug command '# diagnose debug flow' can show the replayed flow.

id=20085 trace_id=179 msg="vd-VDOM_VLAN1 received a packet(proto=6,
> from TO_EXTERNAL ."
id=20085 trace_id=179 msg="Find an existing session, id-00041475, original direction"
id=20085 trace_id=179 msg="replay packet, drop"                                              <----- Drop by 'replay'.

If logging of the detected replayed packets is also required, configuration 'log-invalid-packet' can be enabled.

# config log setting
    set log-invalid-packet enable                                                            <----- Default 'disable'

After this is enabled, if a replayed packet is received (such as by replaying packet below), forward traffic log will have logging of 'replay_packet(seq_check)' as shown below.


This can also increase the amount of logging displayed and loading on the system.
Also 'log-invalid-packet' will also enable logging for other types of invalid packets.
So these factors also need to be considered when enabling 'log-invalid-packet'.

Related Articles

Technical Note: How to get log messages for packets dropped due to anti-spoofing