Fortinet black logo

Administration Guide

Firewall anti-replay option per policy

Firewall anti-replay option per policy

When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The per policy anti-replay option overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.

To enable the anti-replay option so TCP flags are checked using the CLI:

config firewall policy

edit 1

set name "policyid-1"

set srcintf "wan2"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set anti-replay enable

set logtraffic all

set nat enable

next

end

Firewall anti-replay option per policy

When the global anti-replay option is disabled, the FortiGate does not check TCP flags in packets. The per policy anti-replay option overrides the global setting. This allows you to control whether or not TCP flags are checked per policy.

To enable the anti-replay option so TCP flags are checked using the CLI:

config firewall policy

edit 1

set name "policyid-1"

set srcintf "wan2"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set anti-replay enable

set logtraffic all

set nat enable

next

end