Staff

Technical Tip: How to get log messages for packets dropped due to anti-spoofing

Forum|Forum|11 years ago
September 29, 2014
0 replies
32338 views

Description

This article describes thatb by default, the FortiGate will silently drop any packet with a possibly spoofed source address. That is the RFF or anti-spoofing mechanism.

Scope

FortiGate.

Solution

Due to this feature IP packets are not forwarded if their Source IP does not either

Belong to a locally attached subnet (local interface), or,
Be in the routing of the FortiGate from another source (static route, RIP, OSPF, BGP)

Debug flow shows those drops as 'reverse path check fail, drop':

id=13 trace_id=27 msg="VD1 received a packet(proto=1, 10.11.130.70:1->10.35.252.4:8) from Int1."
id=13 trace_id=27 msg="allocate a new session-086bf186"
id=13 trace_id=27 msg="reverse path check fail, drop"
id=13 trace_id=27 msg="trace"

Enabling logging of any ICMP dropped packets can help in troubleshooting and finding incorrect route settings.

The CLI commands are :

FortiOS:

config log setting
set log-invalid-packet enable
end

FortiOS v7.4.x and above:

config log setting
set extended-log enable
end

With this option enabled a log message will be logged for "ping" dropped due to anti-spoofing.

Note that this option is not limited to anti-spoofing.

When enabled traffic log entries are generated for :

All dropped ICMP packets.
All dropped invalid IP packets.

It is a global parameter, independent of traffic log settings.

This setting is not rate-limited and a large volume of invalid packets will generate numerous log messages and can affect device performances.

FortiGate v5.0

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded