TCP timestamp stripping

dwilliams1979 · ‎08-28-2015

Stripping the tcp timestamp from traffic that passes through the firewall is becoming a more frequent request as it is showing up on various vulnerability scans. I see that some security appliances have a command that specifically strips the timestamp value from TCP but I have been unable to find something similar in the Fortigate.

Does anyone know of a command that will accomplish this or is there a way to do this with application control?

emnoc · ‎08-28-2015

I never seen that function in a fortigate. Cisco ASA has had this function for numerous years now & with tcp fixup from mss to other value. Have you looked at all the full show cli command under the firewall policies for a policies?

If you don't find it, than request the feature and you can make a business case or feature reason for it and maybe FTNT will offer this at some future build.

PCNSE

NSE

StrongSwan

jintrah_FTNT · ‎09-01-2015

This is an old function, you can use below,

config system global set tcp-option disable

end This will no longer allow TCP timestamps from showing up.

jaustgen · ‎11-02-2015

jintrah wrote:
This is an old function, you can use below,

config system global set tcp-option disable
end This will no longer allow TCP timestamps from showing up.

I believe that will just stop the Fortigate itself from generating tcp timestamps, it won't strip them from forwarded packets. Or am I not reading this right?

TCP timestamp stripping

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website