Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Antireply when traffic enters and leaves the same interaface

Hello Team,

 

I have been reviewing the below technical tip and I am concerned about the last point in the article talking about disabling anti-replay:

 

Technical Tip: Traffic handled by FortiGate for pa... - Fortinet Community

 

I believe that replay scenarios are like when a packet is received twice on different interfaces or when a packet with out-of-range sequence number is received while it belongs to an opened session, or the other scenarios described below:

 

Replay traffic scenario (fortinet.com)

Technical Note: How anti-replay works and sniffer ... - Fortinet Community

 

I have also testing configuring a scenario where traffic enters and leaves the Fortigate on the same interface, with a firewall policy to allow this traffic, and I did not have to disable anti-replay. So why it is mentioned here that traffic would be dropped unless anti-replay is disabled?

 

Technical Tip: Traffic handled by FortiGate for pa... - Fortinet Community

 

 

2 REPLIES 2
kaman
Staff
Staff

When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The per-policy anti-replay option overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.

 

Please refer to the below documents for more detailed information:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-replay-per-policy-when-FortiGate-is-i...
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-anti-replay-works-and-sniffer-usage-f...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-Replay-option-support-per-policy/ta-p...

Akmostafa
New Contributor III

Thanks Kaman,

 

This has been a quite clarification from you.

 

However, I am asking about how anti-replay is relevant to the case where traffic enters and leaves Fortiagate on the same interface.

Technical Tip: Traffic handled by FortiGate for pa... - Fortinet Community

It is mentioned in the KB that anti-replay should be disabled. However, I have tested the scenario without disabling the anti-replay and it worked fine.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors