Description
This article describes how to confirm that antispoofing is configured correctly and is operational on the FortiGate.
Scope
All versions of FortiGate.
Solution
Meet the following prerequisites:
- Verify asymmetric routing is disabled. Run the following command to check:
show full | grep asym
Example output:
show full | grep asym
set asymroute disable
set asymroute-icmp disable
set asymroute6 disable
set asymroute6-icmp disable
- By default anti-spoofing (src-check) is enabled on all interfaces with a few exceptions.
- The naf.<vdom> interfaces introduced in 7.0.1 by Simplify NAT46 and NAT64 policy and routing configurations disables this by default.
show full | grep src-check
Example output:
show full | grep src-check
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set strict-src-check disable
- It is possible to run a debug flow on traffic which should be dropped by the antispoof check to confirm it is working.
diagnose debug reset
diagnose debug flow filter addr x.x.x.x y.y.y.y and
diagnose debug flow trace start 1000
diagnose debug enable
On port10, the subnet 100.65.0.0/16 is configured. However, the PC has an IP of 100.64.0.2. Here is the output when this PC is failing the antispoof check:
See: Technical Tip: Reverse Path Forwarding (RPF) implementation and use of strict-src-check enable|disab... for more information about antispoofing.
