Description
This article describes thatb by default, the FortiGate will silently drop any packet with a possibly spoofed source address. That is the RFF or anti-spoofing mechanism.
Scope
FortiGate.
Solution
Due to this feature IP packets are not forwarded if their Source IP does not either
- Belong to a locally attached subnet (local interface), or,
- Be in the routing of the FortiGate from another source (static route, RIP, OSPF, BGP)
Debug flow shows those drops as 'reverse path check fail, drop':
id=13 trace_id=27 msg="VD1 received a packet(proto=1, 10.11.130.70:1->10.35.252.4:8) from Int1."
id=13 trace_id=27 msg="allocate a new session-086bf186"
id=13 trace_id=27 msg="reverse path check fail, drop"
id=13 trace_id=27 msg="trace"
Enabling logging of any ICMP dropped packets can help in troubleshooting and finding incorrect route settings.
The CLI commands are :
- FortiOS:
config log setting
set log-invalid-packet enable
end
- FortiOS v7.4.x and above:
config log setting
set extended-log enable
end
With this option enabled a log message will be logged for "ping" dropped due to anti-spoofing.
Note that this option is not limited to anti-spoofing.
When enabled traffic log entries are generated for :
- All dropped ICMP packets.
- All dropped invalid IP packets.
It is a global parameter, independent of traffic log settings.
This setting is not rate-limited and a large volume of invalid packets will generate numerous log messages and can affect device performances.
Related article:
Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing
