Hi Guys,
Is there any chance to enable `timeout-sent-rst` globaly? Not only for specific policies. I am asking because we have zone containing lot of interfaces. And we don't have rules between them as there is `intrazone allow` configured.
http://kb.fortinet.com/kb....do?externalID=FD35049
It's FortiGate-600D.
Many thanks.
Daniel
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
config system global
set reset-sessionless-tcp enable
end
Explanation of the CLI guide
The reset-sessionless-tcp command determines what action the FortiGate unit performs if it receives a TCP packet but cannot find a corresponding session in its session table. This happens most often because the session has timed out. In most cases you should leave reset-sessionless-tcp set to disable (the default). When this command is set to disable, the FortiGate unit silently drops the packet. The packet originator does not know that the session has expired and might re-transmit the packet several times before attempting to start a new session. Enabling this option may help resolve issues with a problematic server, but it can make the FortiGate unit more vulnerable to denial of service attacks. If you enable reset-sessionless-tcp , the FortiGate unit sends a RESET packet to the packet originator. The packet originator ends the current ses- sion, but it can try to establish a new session. Available in NAT/Route mode only. Default is disable.
I have never used this before, but it's maybe what you need. Please read carefully and understand the side effects of this setting.
config system global
set reset-sessionless-tcp enable
end
Explanation of the CLI guide
The reset-sessionless-tcp command determines what action the FortiGate unit performs if it receives a TCP packet but cannot find a corresponding session in its session table. This happens most often because the session has timed out. In most cases you should leave reset-sessionless-tcp set to disable (the default). When this command is set to disable, the FortiGate unit silently drops the packet. The packet originator does not know that the session has expired and might re-transmit the packet several times before attempting to start a new session. Enabling this option may help resolve issues with a problematic server, but it can make the FortiGate unit more vulnerable to denial of service attacks. If you enable reset-sessionless-tcp , the FortiGate unit sends a RESET packet to the packet originator. The packet originator ends the current ses- sion, but it can try to establish a new session. Available in NAT/Route mode only. Default is disable.
I have never used this before, but it's maybe what you need. Please read carefully and understand the side effects of this setting.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.