Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Firewall anti-replay option per policy

When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The per policy anti-replay option overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.

To enable the anti-replay option so TCP flags are checked using the CLI:

config firewall policy

edit 1

set name "policyid-1"

set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c

set srcintf "wan2"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set anti-replay enable

set logtraffic all

set nat enable

next

end

Firewall anti-replay option per policy

When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The per policy anti-replay option overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.

To enable the anti-replay option so TCP flags are checked using the CLI:

config firewall policy

edit 1

set name "policyid-1"

set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c

set srcintf "wan2"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set anti-replay enable

set logtraffic all

set nat enable

next

end