Hello
I have a Fortigate 60B that needs to have SPI disabled as part of a test. Are these the right commands in CLI to make that happen:
config system settings set asymroute enable end
Also, If you enter this command, what kind of impact would it have on current traffic? Does the FW require a reboot?
Thanks
Jay
Solved! Go to Solution.
Created on 09-12-2016 06:27 AM
Hi,
To enable / disable the stateful function, just go to :
config system settings
set asymroute disable (or enable)
end
To see this working, use diag debug flow.
diag debug flow filter (do some filter for source or any other filter you'd like)
diag debug flow show console enable
diag debug flow show function-name enable
diag debug enable
diag debug flow trace start 200 <== to capture 200 packets
To better understand the output above, see "Life of a packet" documentation.
I hope it helps.
Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
ANS
yes that's the command
and
No, you don't need to reboot
PCNSE
NSE
StrongSwan
Jay,
Look for the "stateful inspection" function of a firewall ... you're disabling it.
This impact directly on the "reverse path check" of the routing process also.
If your firewall is in transparent mode, it'll impact also.
Do some research on the keywords above before taking your decision.
Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
Thanks for the feedback. I am not in transparent mode. After our testing, if moving to stateless does not resolve our issue, I will revert back.
Hi, i want test firewall stateful and stateless. how can see this ? and i can see session table with deny packet after enable ses-denied-traffic
Created on 09-12-2016 06:27 AM
Hi,
To enable / disable the stateful function, just go to :
config system settings
set asymroute disable (or enable)
end
To see this working, use diag debug flow.
diag debug flow filter (do some filter for source or any other filter you'd like)
diag debug flow show console enable
diag debug flow show function-name enable
diag debug enable
diag debug flow trace start 200 <== to capture 200 packets
To better understand the output above, see "Life of a packet" documentation.
I hope it helps.
Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
Current setup has nothing. Is this default meaning disable or enable?
(settings) # show
config system settings
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.