Stripping the tcp timestamp from traffic that passes through the firewall is becoming a more frequent request as it is showing up on various vulnerability scans. I see that some security appliances have a command that specifically strips the timestamp value from TCP but I have been unable to find something similar in the Fortigate.
Does anyone know of a command that will accomplish this or is there a way to do this with application control?
I never seen that function in a fortigate. Cisco ASA has had this function for numerous years now & with tcp fixup from mss to other value. Have you looked at all the full show cli command under the firewall policies for a policies?
If you don't find it, than request the feature and you can make a business case or feature reason for it and maybe FTNT will offer this at some future build.
PCNSE
NSE
StrongSwan
This is an old function, you can use below,
config system global set tcp-option disable
end This will no longer allow TCP timestamps from showing up.
jintrah wrote:I believe that will just stop the Fortigate itself from generating tcp timestamps, it won't strip them from forwarded packets. Or am I not reading this right?This is an old function, you can use below,
config system global set tcp-option disable
end This will no longer allow TCP timestamps from showing up.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.