FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pareenat
Staff
Staff
Article Id 206824
Description This article describes corner case condition cause TCP out of order on some of deployment diagram.
Scope FortiGate.
Solution pareenat_0-1647254605799.png

 

When F5 sets up Virtual Server point back to Backend Server behind FortiGate. F5 will intercept the TCP handshake between the client and the Backend Server and shorten the time difference between the 3rd TCP handshake packet (‘ack’) and 1st piece of data and in some rare conditions, this packet will reach FortiGate almost at the same time.


When the 3rd TCP handshake packet ('ack') gets handled by the CPU (slow path), the 1st data would already get accelerated by Network Processor (fast path) and will increase the possibility of triggering TCP out of order between these 2 packets.

 

pareenat_1-1647254633962.png

 

To prevent TCP out of order, it i possible to enable delay-tcp-npu-session on policy that impacts from above flow.

 

config firewall policy

    edit <>

        set delay-tcp-npu-session enable
    end