Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pareenat
Staff
Staff

Created on ‎03-14-2022 03:59 AM

Article Id 206824

Technical Tip: Solution to prevent TCP out of order on some of deployment condition

Description This article describes corner case condition cause TCP out of order on some of deployment diagram.
Scope FortiOS.
Solution pareenat_0-1647254605799.png

 

When F5 set up Virtual Server point back to Backend Server behind FortiGate. F5 will intercept TCP handshake between client and Backend Server and shorten time different between the 3rd tcp handshake packet (‘ack’) and 1st piece of data and in some rare condition these packet will reach FortiGate almost at the same time.


When the the 3rd tcp handshake packet ('ack') get handle by CPU (slow path), the 1st data would already get accelerate by Network Processor (fast path) and will increase possibility to trigger TCP out of order between these 2 packets.

 

pareenat_1-1647254633962.png

 

In order to prevent TCP out of order, it i possible to enable delay-tcp-npu-session on policy that impact from above flow.

 

# config firewall polic

    edit <>

        set delay-tcp-npu-session enable
Labels:
7114
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.