Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jaym222
New Contributor

Disabling Stateful Packet Inspection

Hello

 

I have a Fortigate 60B that needs to have SPI disabled as part of a test.  Are these the right commands in CLI to make that happen:

 

config system settings set asymroute enable end

 

Also, If you enter this command, what kind of impact would it have on current traffic?  Does the FW require a reboot?

 

Thanks

Jay

1 Solution
Luiz_Alberto_Camilo

Hi, 

 

To enable / disable the stateful function, just go to : 

 

config system settings

set asymroute disable (or enable) 

end

 

To see this working, use diag debug flow. 

 

diag debug flow filter (do some filter for source or any other filter you'd like) 

diag debug flow show console enable

diag debug flow show function-name enable 

diag debug enable

diag debug flow trace start 200 <== to capture 200 packets 

 

To better understand the output above, see "Life of a packet" documentation. 

 

I hope it helps. 

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert

View solution in original post

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
6 REPLIES 6
emnoc
Esteemed Contributor III

ANS

 

yes that's the command

 

and

 

No, you don't need to reboot

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Luiz_Alberto_Camilo

Jay, 

 

Look for the "stateful inspection" function of a firewall ... you're disabling it. 

This impact directly on the "reverse path check" of the routing process also. 

If your firewall is in transparent mode, it'll impact also.

Do some research on the keywords above before taking your decision. 

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
jaym222

Thanks for the feedback.  I am not in transparent mode.  After our testing, if moving to stateless does not resolve our issue, I will revert back.

Abdulaziz_Alatar

Hi,  i want test firewall stateful and stateless. how can see this ? and i can see session table with deny packet  after enable ses-denied-traffic   

Luiz_Alberto_Camilo

Hi, 

 

To enable / disable the stateful function, just go to : 

 

config system settings

set asymroute disable (or enable) 

end

 

To see this working, use diag debug flow. 

 

diag debug flow filter (do some filter for source or any other filter you'd like) 

diag debug flow show console enable

diag debug flow show function-name enable 

diag debug enable

diag debug flow trace start 200 <== to capture 200 packets 

 

To better understand the output above, see "Life of a packet" documentation. 

 

I hope it helps. 

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
yjohn

Current setup has nothing. Is this default meaning disable or enable?

 

(settings) # show
config system settings
end

Labels
Top Kudoed Authors