Hello Team,
I have been reviewing the below technical tip and I am concerned about the last point in the article talking about disabling anti-replay:
Technical Tip: Traffic handled by FortiGate for pa... - Fortinet Community
I believe that replay scenarios are like when a packet is received twice on different interfaces or when a packet with out-of-range sequence number is received while it belongs to an opened session, or the other scenarios described below:
Replay traffic scenario (fortinet.com)
Technical Note: How anti-replay works and sniffer ... - Fortinet Community
I have also testing configuring a scenario where traffic enters and leaves the Fortigate on the same interface, with a firewall policy to allow this traffic, and I did not have to disable anti-replay. So why it is mentioned here that traffic would be dropped unless anti-replay is disabled?
Technical Tip: Traffic handled by FortiGate for pa... - Fortinet Community
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The per-policy anti-replay option overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.
Please refer to the below documents for more detailed information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-replay-per-policy-when-FortiGate-is-i...
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-anti-replay-works-and-sniffer-usage-f...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Anti-Replay-option-support-per-policy/ta-p...
Thanks Kaman,
This has been a quite clarification from you.
However, I am asking about how anti-replay is relevant to the case where traffic enters and leaves Fortiagate on the same interface.
Technical Tip: Traffic handled by FortiGate for pa... - Fortinet Community
It is mentioned in the KB that anti-replay should be disabled. However, I have tested the scenario without disabling the anti-replay and it worked fine.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.