How to disable "Source Routing"? The SANS standard has this as a checklist

Forum|Forum|4 years ago
July 21, 2021
1 reply
5169 views

The official item is "Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall."

It's my understanding that "Policy Routes" in FortiGate is the same thing as "Source Routing", as that's where you can route network traffic based on the source. This matches the term "source routing" and the definitions for it and LSRSR & SSRR that I look up online.

Can you even disable "Policy Routes"?

Does anyone else comply with SANS and have information on this?

emnoc

New Member

A few things come to mind;

PBR ( policy base routing ) is not source routing

What you need to study is Loose source routing and strict source routing concepts and almost no upstreams devices support datagrams with routing-details in the ip-header. They will drop this and not route the packets. I believe the fortigate and any NGFW also does this by design it's called cleanup strict checking

You can maybe test this behavior "traceroute -g "x.x.x.x a.a.a.a c.c.c.c". 1.1.1.1 and run a capture and diag debug flow on your firewall

And lastly I never heard of anybody trying to control this at the fw they do it at the edge-routers.

Ken Felix

lssr.jpg

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded