Hi All,
Sorry, my first post here, and forgive me if this has already been asked earlier.
What firewall will do if it receives SYN, ACK (half-open session) packet or subsequent packets for an already established session on a different interface (not the one where the packet was sent out)?
Thanks,
Myky
Solved! Go to Solution.
Unlike Palo Alto's "zone", FGT's "zone" is not an necessary object, more like an alias. You can use it in policies but you don't have to. It still routes per interface and if packets come in one interface and go out another interface it's considered as "asymmetric" regardless if they are members of one zone.
It would drop it unless asymmetricalrouting was enabled. Google statefull-inspection firewall which is what any fortigate does or any modern UTM/NGFW.
Ken Felix
PCNSE
NSE
StrongSwan
Ok perfect, so similar logic that Palo does:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK
Cheers
Ok, thanks. So packet check per-interface, not per zone.
Hmm.. It looks like not all UTM/NGFW behave the same way:
The firewall is zone-based, which means that for all received packets during the session creation and subsequent packets, a source zone lookup will occur before moving to the next step of matching an existing session. So if both the interfaces are placed in the same zone, they will be treated as the same area and asymmetry will not be applied within the same zone. This way, the asymmetry protection does not need to be disabled.
Unlike Palo Alto's "zone", FGT's "zone" is not an necessary object, more like an alias. You can use it in policies but you don't have to. It still routes per interface and if packets come in one interface and go out another interface it's considered as "asymmetric" regardless if they are members of one zone.
Are you using zones? I believe you have a option for allow action per each zone that's defined,that is something you can look at ? I still believe interface and asymmetrical checks will still by implied
Ken Felix
PCNSE
NSE
StrongSwan
Thanks guys! I see that the function of "zone" is a bit different from Palo. Anyway, l just needed to know if FG will behave the same way or not. Cheers!
Created on 02-27-2024 02:09 PM Edited on 02-27-2024 02:12 PM
If traffic egresses port1 and return traffic comes in on port2 and ECMP routes exist (and policy) then the session get's "dirty". When a session is "dirty" it get's re-evaluated by the CPU (instead of offloaded) and the session get's refreshed: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/14295/controlling-return-pat....
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.