Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiyong
Staff
Staff

Created on ‎05-30-2023 11:11 PM Edited on ‎08-21-2025 01:26 AM

Article Id 258372

Technical Tip: Use case of 'tcp-session-without-syn' in firewall policy

Description

In an asymmetric environment, blocking occurs even though there is a firewall permit policy.
In this case, It can be solved by using the tcp-session-without-syn command.

 

Additionally, in a dual hub ADVPN setup, when SD-WAN steers the traffic via hub2, it drops the session because the packets are not part of the initial TCP three-way handshake messages.

 

This article describes how to troubleshoot it.
Scope FortiGate.
Solution

The 'tcp-session-without-syn' command is, allows the creation of a TCP session on the firewall, without checking the SYN flag on the first packet.

This means that in an asymmetric environment, if the Fortigate does not receive a SYN packet, it can create a session and allow it.
 
Example: 
 
diagnose debug console timestamp enable
diagnose debug flow filter daddr 3.3.3.3
diagnose debug flow trace start 1000
diagnose debug enable
..
..
id=20085 trace_id=138 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:62952->3.3.3.3:80) from port21. flag [R.], seq 659140411, ack 1499904319, win 0"
id=20085 trace_id=138 func=init_ip_session_common line=5995 msg="allocate a new session-5e294602"
id=20085 trace_id=138 func=vf_ip_route_input_common line=2615 msg="find a route: flag=00000000 gw-2.2.2.2 via WAN"
id=20085 trace_id=138 func=fw_forward_handler line=695 msg="Denied by TCP SYN check, drop" <----- No session.
 
Or:
 
id=65308 trace_id=601 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=6, 192.168.121.93:57304->192.168.130.162:3333) tun_id=192.168.251.105 from
Test_Inet1_2_0. flag [.], seq 3065183144, ack 3328783317, win 1023"
id=65308 trace_id=601 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2: to 192.168.130.162 via ifindex-59"
id=65308 trace_id=601 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.251.126 via Test_Inet1_2_0"
id=65308 trace_id=601 func=fw_forward_dirty_handler line=393 msg="no session matched" <---
 
To disable the debug, type this command:
 
diagnose debug disable
 
From CLI :
 
config system settings
    set tcp-session-without-syn enable <----- Enable it to create the tcp-session-without-syn option in the firewall policy.
end
 
config firewall policy
    edit <policyid>
        set tcp-session-without-syn <all/data-only/disable>
end

all: Enable TCP session without SYN.
data-onlyEnable TCP session data only.
disable: Disable TCP session without SYN.

 

From GUI : 

 

tcp-session-without-syn.png

Related documents:
config system settings | FortiGate / FortiOS 7.4.0 | Fortinet Document Library
config vpn ipsec manualkey-interface | FortiGate / FortiOS 7.4.0 | Fortinet Document Library

 

21625
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.