Antispoofing on Frotigate

-
With the RPF function the Firewall checks if the packet comes in the firewall on the correct interface and does not try to spoof the address.
For example in a DMZ network a packet coming in the dmz interface of the firewall and has a source IP from the internal network is spoofed. The firewall should not allow it.
RPF is enabled by default and cannot be disabled, but can be set to strict. Strict RPF is disabled by default.
If it is set to loose it does not look for best match route only if there is a route. With strict it checks the Forwarding Information Base (FIB).
If it is set to strict it look for best match route. for more info see RFC 3704.
Used Version: v4.0,build0521,120313 (MR3 Patch 6)
firewall (root) # show full-configuration system settings
config system settings
    set comments ''
    set opmode nat
    set bfd disable
    set utf8-spam-tagging enable
    set wccp-cache-engine disable
    unset vpn-stats-log
    set vpn-stats-period 0
    set v4-ecmp-mode usage-based
    set asymroute disable
    set strict-src-check disable ----------> RPF strict
    set asymroute6 disable
    set per-ip-bandwidth enable
    set sip-helper enable
    set sip-nat-trace enable
    set status enable
    set sip-tcp-port 5060
    set sip-udp-port 5060
    set sccp-port 2000
    set multicast-forward disable
    set multicast-ttl-notchange disable
    set allow-subnet-overlap disable
    set ecmp-max-paths 10
end

Comments

Post a Comment

Popular posts from this blog

Upgrading the firmware on a standalone Fortigate unit or units in an HA cluster

-
Understanding upgrade paths: Each firmware version has an upgrade path requirement from older versions. Most of the time when you are in a MR (major release) patch level, you can upgrade straight to any patch level within the MR. ex: 1) currently, a fortigate unit is running 4.0 MR3 patch 3. 2) You wish to upgrade it to 4.0 MR3 patch 11. 3) You can simply upgrade it directly to 4.0 MR3 patch 11. Most of the time when you are upgrading from a MR to the next MR, you can upgrade straight to any patch level in the next MR as long as you are at the highest patch level in the lower/previous MR. ex: 1) currently, a fortigate unit is running 4.0 MR2 patch 3. 2) You wish to upgrade it to 4.0 MR3 patch 11. 3) You must first upgrade it to 4.0 MR2 patch 13 (highest 4.0 MR2 patch). 4) Then you can upgrade to 4.0 MR3 patch 11. You should ALWAYS refer to the release notes of the firmware release you wish to upgrade your unit. Even, for comfort, just open a ticket...
Read more

Traffic Shaping With Fortigate

-
FortiGate v4.0 Description This article describes the Traffic Shaping features that have been implemented in FortiOS 4.0 In FortiOS version 4.0, the traffic shaping has been enhanced. Diagnose commands allowing to verify each traffic shaper's usage and giving more configuration flexibility. See also the related articles at the end of this page for additional information. Solution Summary 1- Traffic shaping configuration is dissociated from the Firewall policies allowing multiple policies to use common configurations 2- Possibility to use independent configurations in policies for forward and reverse traffic directions 3- The P2P shaping capabilities are now defined at the application control level 4- Troubleshooting packet loss with statistics on traffic shaping configurations 5- Troubleshooting packet loss with the debug flow diagnose commands 6- Session list details with dual traffic shaper (forward and reverse traffic) 1- Traffic shaping configuration is di...
Read more