The Anti-Replay command allows you to set the level of packet response checking (or TCP sequence number checking (SEQ)) and the packet response check level, which is used to ensure that a packet is working.
By default, if a packet with sequence numbers outside the enumerated range is received, Fortigate discards the packet. This is generally desired behavior because packet is not valid. In some cases, however, you may want to configure the "Protection against Replay" levels to check if any of the network equipment is using non-RFC compliant methods when sending packets.
The configuration of the replay parameters is done as follows
config system global
config system global
set anti-replay {disable | loose | strict}
end
disable: Disable protection against replay.
loose: The order of the TCP and ICMP packet is checked according to the following criteria.
- SYN, FIN and RST bits cannot appear in the same packet.
- Multiple ICMP error packets are not allowed before receiving a normal TCP or UDP packet.
- If an RST packet has been received and the "check-reset-range" parameter is "strict", the FortiGate unit checks that the sequence number in the RST will be generated inside the ACKed data.
strict: All the "loose" checks will come only when, for its fresh installation, the TCP sequence in the SYN packet is correct and it will not initialize from the correct value to make it new. This Replay prevention control mod can also help children of SYN attacks.
If a package does not pass inspection, your package will be Dropped.
Not: As of version 6.2, you can configure the Replay configuration.
check-reset-range" parameter is set globally
config system global
check-reset-range {disable | strict}
end
Yorumlar
Yorum Gönder