When I visit https://219.148.36.28, due to anti-ddos device protection, the website always responds with an incorrect syn+ack for the first time. If the client can respond with rst, it is considered normal.
When I was in the company, the fortigate version was 4.0. When foritgate received the wrong syn+ack packet, fortigate would discard the packet.
Now I set up an environment to test the“ anti-relay” function,Refer to the cli manual description. When anti-replay is set to strict, syn+ack packets with incorrect sequence numbers should be drop. However, when I tested, fortigate did not drop the wrong syn+ack packets,but forward this packet . Why don not drop the wrong seq packet? I debugged and saw that there was a debug saying This can be a challenge ack packet. What does this mean?
1. My topology is as follows
2. debug info
3. fortigate sniff
4. config system global ,set anti-replay strict
5. firewall policy ,set anti-relay enable
6. only how one firewall policy
Solved! Go to Solution.
Hi,
This is TCP Challenge ACK scenario. In Challenge ACK the client sends the SYN packet and Server will send the "ACK" Packet. If you see the screenshot which you attached it we don't have the SYN Flag set. Hence the Firewall is considering this as a challenge ACK. Challenge ACK is something deinfed in the RFC and those packets needs to be allowed.
https://datatracker.ietf.org/doc/html/rfc5961
After the challenge ACK the client will send the RST packet and close the connection and then start a new one.
Regards,
Shiva
Note that the anti-replay setting only affects non-accelerated traffic. So disable offloading in the firewall policy.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/168164/blocking-external-probes
If logging of the detected replayed packets is also required, configuration 'log-invalid-packet' can be enabled.
# config log setting
set log-invalid-packet enable
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Logging-for-replayed-packets/ta-p/196081
Hope that helps,
Kind Regards,
Bijay Prakash Ghising
thank you for your answer , i disable offloading in the firewall policy, but fortigate still forward the wrong syn+ack to internal client.
Hi,
This is TCP Challenge ACK scenario. In Challenge ACK the client sends the SYN packet and Server will send the "ACK" Packet. If you see the screenshot which you attached it we don't have the SYN Flag set. Hence the Firewall is considering this as a challenge ACK. Challenge ACK is something deinfed in the RFC and those packets needs to be allowed.
https://datatracker.ietf.org/doc/html/rfc5961
After the challenge ACK the client will send the RST packet and close the connection and then start a new one.
Regards,
Shiva
thank you , i get it.
thank you , i get it.
Challenge-ACK is supported by FortiOS and correctly forwarded to clients since versions 6.0.13 / 6.2.10 / 6.4.6 / 7.0.2 .
https://docs.fortinet.com/document/fortigate/7.0.2/fortios-release-notes/289806/resolved-issues
644225 - Challenge ACK is being dropped.
thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1757 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.