Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
melkhodary
Staff
Staff

Created on ‎10-25-2022 06:28 AM Edited on ‎11-10-2022 02:16 AM By Moderator

Article Id 227845

Technical Tip: SD-WAN Cross-FortiGate TCP Sessions

Description

 

This article explains TCP session failover behavior in an SD-WAN/ADVPN scenario with 2 HUBs. In this scenario, branches access resources from both HUBs.

 

Scope

 

FortiGate setups using TCP with SD-WAN.

 

Solution

 

In the topology below, the PC behind the branch initiates a TCP connection towards the Server using Port1. As it is the preferred member in the SD-WAN rule, Port1 connects to Hub1 through IPSEC tunnel.

 

Photo 1.JPG

 

A TCP session is created normally on the branch/Hub1.

 

If Port2 becomes the preferred port in the SD-WAN rule due to an SLA change for example, the branch starts to forward the packets for this TCP session using Port2, which connects to Hub2 through another IPSEC tunnel.

 

As Hub2 is a different FortiGate device with no prior knowledge of this session, it will drop this traffic after failover as the 1st packet is not a SYN packet, which is necessary to create a new TCP session.

 

This issue can be solved by disabling TCP SYN checking on the HUBs. After, the hub will not check if the 1st packet of a TCP session is an SYN packet. This will allow session creation if the Firewall policy is correctly configured to allow traffic.

To disable TCP SYN, enable the 'tcp-session-without-syn' option.

 

If another SLA change happens on the Branch and failover passes traffic to Port1 again while the old session on Hub1 has not timed out, Hub1 will drop traffic as it checks TCP sequence numbers. This occurs because packets do not have the correct TCP sequence due to passing through Hub2 previously.

 

This issue can be solved by disabling the 'anti-replay' setting on the firewall policy level. When 'anti-replay' is disabled, FortiGate does not check the sequence numbers of TCP packets. As a result, Hub1 will still accept the packets after the session is routed back to Hub1 from Hub2 in this example.

 

Both options discussed above must be configured on the firewall policy level. To access the 'tcp-session-without-syn' setting, first enable the setting in VDOM:

 

# config system settings

set tcp-session-without-syn enable

end

 

# config firewall policy

    edit <id>

        set anti-replay disable

    set tcp-session-without-syn all

next

end

 

Photo 3.JPG

 

Note:

In this dual hub topology, these options should be enabled on both hubs. Active TCP Sessions can be routed back and forth between both of them.

While the configuration in this example disables stateful firewall inspection for TCP traffic on both hubs, this does not present a security concern: both branches still perform stateful firewall inspection for TCP traffic.

1789
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.