|
Debug flow could be showing messages as: msg="syn with different ISN, suspicious" and msg="anti-replay check fails, drop".
That means the Firewall FortiGate is dropping some packets using anti-replay technique.
Example:
- Packet received from vdom: root.
- Source IP: 10.10.194.11
- Source port: 40190
- Destination IP: 192.168.118.35
- Destination port: 9090
- Protocol Number: 6, TCP protocol.
Message in debug flow:
2024-09-04 17:18:13 id=20085 trace_id=396 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=6, 10.10.194.11:40190->192.168.118.35:9090) tun_id=0.0.0.0 from port5. flag [S], seq 3922378022, ack 0, win 29200"
2024-09-04 17:18:13 id=20085 trace_id=396 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-25f7960d, original direction"
2024-09-04 17:18:13 id=20085 trace_id=396 func=tcp_anti_reply line=1080 msg="syn with different ISN, suspicious"
2024-09-04 17:18:13 id=20085 trace_id=396 func=ip_session_core_in line=6612 msg="anti-replay check fails, drop"
- Received Packet:
"vd-root:0 received a packet(proto=6, 10.10.194.11:40190->192.168.118.35:9090)": The Firewall Fortigate has received a TCP packet (protocol 6) from IP address 10.10.194.11, port 40190, to IP address 192.168.118.35, port 9090.
"from port5" <----- The packet is arriving through interface port5.
"flag [S]" <----- This is a SYN packet, the first in the three-step TCP connection sequence, used to initiate a new connection.
"seq 3922378022, ack 0, win 29200" <----- Contains the sequence number (seq), the acknowledgement number (ack), which is 0 in this case (as is typical for the first SYN of a connection), and the TCP window size.
- Existing Session:
"Find an existing session, id-25f7960d, original direction" <----- The system finds an existing session with ID 25f7960d that matches the original direction of communication. This indicates that there was already an active connection between these two IPs and ports.
- Suspicious SYN check:
"syn with different ISN, suspicious" <-----The Firewall Fortigate detects that a SYN packet has been received with a different Initial Sequence Number (ISN) than expected for the existing session. This is unusual because a SYN is normally used only to start a new connection, and a different sequence number could indicate a tampering attempt or attack, such as a session hijacking attempt.
"anti-replay check fails, drop" <-----The packet does not pass the anti-replay check, meaning that the device considers it an illegitimate retransmission or an attempt to repeat a packet that has already been processed previously.
As a security measure, the packet is dropped.
- Interpretation:
This log shows that the device has received a SYN packet for a TCP connection that already existed, but the packet contains a different sequence number than expected. This is considered suspicious and possibly indicative of an attack (such as a session hijacking attack). By failing security checks (including the anti-replay check), the packet is dropped to prevent a possible breach of the existing session.
Related articles:
Technical Note: How anti-replay works and sniffer usage for testing
Technical Tip: Anti-Replay option support per-policy
FortiGate FortiOS 7.6.0 Administration Guide - Debugging the packet flow
Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...
|
