Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arie_arie
New Contributor III

Risk of enable TCP Session Without Syn

Hi,

 

I need to understand the risks of enabling tcp-session-without-syn for asymmetric environment. Can someone help to explain to me all the risks if I enable this?

 

Thank you

 

2 Solutions
ozkanaltas
Valued Contributor III

Hello @arie_arie ,

 

Normally, a TCP session starts with a three-way handshake, beginning with a SYN (synchronize) packet. This ensures both sides are aware of the connection and establishes initial sequence numbers for data transmission.Enabling "tcp-session-without-syn" is risky because it bypasses the normal SYN packet handshake in TCP connections. This makes it easier for attackers to hijack sessions, perform replay attacks, confuse connection states, and bypass security measures, thereby compromising network security.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
AEK
SuperUser
SuperUser

Hi Arie

In addition to Atlas' explanation, please check this two tech tips.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-the-FortiGate-behaves-when-asymmetric-...


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-routing-decision-regardi...

 

Also let me add, if you need to enable asymmetric routing this should mean that your design still needs improvement because you don't have full control on security.

At lease try use FGSP and/or auxiliary sessions that give more security control comparing with asymmetric sessions.

AEK

View solution in original post

AEK
6 REPLIES 6
ozkanaltas
Valued Contributor III

Hello @arie_arie ,

 

Normally, a TCP session starts with a three-way handshake, beginning with a SYN (synchronize) packet. This ensures both sides are aware of the connection and establishes initial sequence numbers for data transmission.Enabling "tcp-session-without-syn" is risky because it bypasses the normal SYN packet handshake in TCP connections. This makes it easier for attackers to hijack sessions, perform replay attacks, confuse connection states, and bypass security measures, thereby compromising network security.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
AEK
SuperUser
SuperUser

Hi Arie

In addition to Atlas' explanation, please check this two tech tips.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-the-FortiGate-behaves-when-asymmetric-...


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-routing-decision-regardi...

 

Also let me add, if you need to enable asymmetric routing this should mean that your design still needs improvement because you don't have full control on security.

At lease try use FGSP and/or auxiliary sessions that give more security control comparing with asymmetric sessions.

AEK
AEK
arie_arie
New Contributor III

Hi,

 

How about the UTM inspection in FortiGate? does the UTM inspection still work when enabling tcp-session-without-syn?

 

Thank you

AEK

I don't think so. Without SYN there should be no UTM inspection for that sessions.

AEK
AEK
arie_arie
New Contributor III

Hi,

Thank you for the insight about the feature risk.

 

If I have 1 FortiGate with 2 uplinks to ISP, where the traffic outgoing to ISP-1 and return traffic going to ISP-2, do I need to enable tcp-session-without-syn to prevent traffic drop of different interface in FortiGate?

 

Thank you

AEK

You may enable auxiliary sessions, this will keep UTM in this case.

There any many tech tips about auxiliary sessions but you can start here.

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/14295/controlling-return-path-with-a...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SD-WAN-Auxiliary-Sessions/ta-p/229467

 

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors