Description | This article describes corner case condition cause TCP out of order on some of deployment diagram. |
Scope | FortiGate. |
Solution |
When F5 sets up Virtual Server point back to Backend Server behind FortiGate. F5 will intercept the TCP handshake between the client and the Backend Server and shorten the time difference between the 3rd TCP handshake packet (‘ack’) and 1st piece of data and in some rare conditions, this packet will reach FortiGate almost at the same time.
To prevent TCP out of order, it i possible to enable delay-tcp-npu-session on policy that impacts from above flow.
config firewall policy edit <> set delay-tcp-npu-session enable |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.