Skip to main content
jefazo92
jefazo92
Explorer II
August 27, 2024
Question

Can Cisco Discovery Protocol be disabled in a Fortigate?

  • August 27, 2024
  • 5 replies
  • 4221 views

I would like to disable CDP and have noticed it is referenced in certain CLI commands in the CLI reference. However, I have been unable to find how it might be disabled globally. Is there a command to achieve this?

5 replies

AEK
SuperUser
AEK
SuperUser
August 27, 2024

I guess you mean LLDP.

I know it can be disabled per interface but there seem to be a way to disable it globally.

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/311052/lldp-reception

Hope it helps.

AEK
jefazo92
jefazo92Author
Explorer II
August 27, 2024

@AEK I mean CDP. I already disabled LLDP.

Jakob-AHHG
Jakob-AHHG
Explorer III
August 27, 2024

So you disabled all FortiLink negotiation?
Well, if you don't need any other Fortinet equipment, that should be ok.. ;) 

AEK
SuperUser
AEK
SuperUser
August 27, 2024

I don't think FortiGate supports CDP.

I know FortiSwitch does.

AEK
Jakob-AHHG
Jakob-AHHG
Explorer III
August 27, 2024

I'm currious: Why?
In my 30 years of working with network equipment, CDP & LLDP is one of the most valuable features in troubleshooting many issues. Especially getting remote knowledge of what equipment is connected where to what ports.

AEK
SuperUser
AEK
SuperUser
August 27, 2024

I guess because CDP is proprietary and LLDP is standard.

AEK
Jakob-AHHG
Jakob-AHHG
Explorer III
August 27, 2024

He already disabled LLDP.. ;) 

abarushka
Staff
abarushka
Staff
August 27, 2024

Hello,

 

CDP is not listed in the list of supported RFCs:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/e4a64990-3346-11ef-bfe5-fa163e15d75b/FortiOS-7.6-Supported_RFCs.pdf

 

Could you please elaborate which documentation you are referring to? 

jefazo92
jefazo92Author
Explorer II
August 28, 2024

Hi @abarushka the Fortigate CLI reference manual, CDP is referenced for the management-interface parameter for config switch-controller lldp-settings. The description for the parameter states, "Primary management interface to be advertised in LLDP and CDP PDUs".

AEK
SuperUser
AEK
SuperUser
August 28, 2024

You said "config switch-controller", then it is for FortiSwitch.

AEK
sbabu
Staff
sbabu
Staff
August 28, 2024

HI @jefazo92 

if you want to block CDP protocol traffic in Fortigate you can create a local in policy and block the communication. 

refer to the below link for the creation of the local_in policy and modify it based on the protocol number of CDP. 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-the-IGMP-protocol-using-a-local-in/ta-p/280765

jefazo92
jefazo92Author
Explorer II
August 28, 2024

Thank you @sbabu but the list of protocols (https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number) which can be configured as a firewall custom service do not include CDP.

Terms & ConditionsAccessibility statement