Created on 06-01-2020 11:44 PM Edited on 05-26-2022 09:28 AM By Anonymous
Description
This article describes how to enable logging for anti-replay.
Solution
FortiGate anti-replay function can detect replayed packets as described in documentation below.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/104584/replay-traffic-scenario
# config system global
set anti-replay | loose | strict | disable |
end
Debug command '# diagnose debug flow' can show the replayed flow.
id=20085 trace_id=179 msg="vd-VDOM_VLAN1 received a packet(proto=6, 10.10.253.9:10709
>10.10.248.5:25) from TO_EXTERNAL ."
id=20085 trace_id=179 msg="Find an existing session, id-00041475, original direction"
id=20085 trace_id=179 msg="replay packet, drop" <----- Drop by 'replay'.
If logging of the detected replayed packets is also required, configuration 'log-invalid-packet' can be enabled.
# config log setting
set log-invalid-packet enable <----- Default 'disable'
After this is enabled, if a replayed packet is received (such as by replaying packet below), forward traffic log will have logging of 'replay_packet(seq_check)' as shown below.
Related Articles
Technical Note: How to get log messages for packets dropped due to anti-spoofing
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.