Fortinet black logo

Examples

Home FortiManager 6.4.0 Examples

Disabling stateful inspection on hubs

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
Copy Link
Copy Doc ID 5ecc39ba-34cd-11eb-96b9-00505692583a:17674
Download PDF

Disabling stateful inspection on hubs

When ADVPN is used, it is possible for a session to switch over from one overlay to another in the middle. For example, if the health of a link changes, it can cause a switchover. A certain TCP session might switch over from ADVPN shortcut to Spoke-to-Hub tunnel. Since the Hub is not aware of this TCP session, it will be dropped by the stateful inspection, which is not desired. As a result, when ADVPN is in use and session switchover is needed, it is important to disable stateful inspection on the Hubs for the Spoke-to-Spoke traffic. This is done as follows:

To disable stateful inspection on hub devices:
  1. Globally enable TCP sessions without SYN:

    config system settings

    set tcp-session-without-syn enable

    end

  2. Go to Policy & Objects > Policy Packages, and select the policy package for hubs.
  3. Double-click the Branch to Branch policy to open it for editing.
  4. Expand the Advanced Options, and set the following options:
    • Toggle anti-replay to OFF. (TCP sequence number validation.)
    • Set tcp-session-without-syn to all.
  5. Click OK to save the changes.

No reason to worry: Spokes still provide stateful inspection for all the Spoke-to-Spoke traffic! And Hubs still provide it for all the other traffic, since we have only disabled it on a particular firewall rule.

Previous
Next

Disabling stateful inspection on hubs

When ADVPN is used, it is possible for a session to switch over from one overlay to another in the middle. For example, if the health of a link changes, it can cause a switchover. A certain TCP session might switch over from ADVPN shortcut to Spoke-to-Hub tunnel. Since the Hub is not aware of this TCP session, it will be dropped by the stateful inspection, which is not desired. As a result, when ADVPN is in use and session switchover is needed, it is important to disable stateful inspection on the Hubs for the Spoke-to-Spoke traffic. This is done as follows:

To disable stateful inspection on hub devices:
  1. Globally enable TCP sessions without SYN:

    config system settings

    set tcp-session-without-syn enable

    end

  2. Go to Policy & Objects > Policy Packages, and select the policy package for hubs.
  3. Double-click the Branch to Branch policy to open it for editing.
  4. Expand the Advanced Options, and set the following options:
    • Toggle anti-replay to OFF. (TCP sequence number validation.)
    • Set tcp-session-without-syn to all.
  5. Click OK to save the changes.

No reason to worry: Spokes still provide stateful inspection for all the Spoke-to-Spoke traffic! And Hubs still provide it for all the other traffic, since we have only disabled it on a particular firewall rule.

Previous
Next