This article describes the reasons why FortiGate drops packets which carry the flag 'Loose Source Route' inside the IP Header.
FortiGate.
When end devices send ICMP traffic through FortiGate with the 'Loose source route' flag, FortiGate will drop them with the error 'source route ip option, drop'.
Enabling iprope and function-name options when performing debug flow will show that the packet is dropped by FortiGate.
2022-08-22 10:27:26 id=20085 trace_id=50831 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 10.41.2.22:30754-10.3.10.13:2048) from port3. type=8, code=0, id=30754, seq=671."
2022-08-22 10:27:26 id=20085 trace_id=50831 func=init_ip_session_common line=5814 msg="allocate a new session-5550a918"
2022-08-22 10:27:26 id=20085 trace_id=50831 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.123.8 via port1"
2022-08-22 10:27:26 id=20085 trace_id=50831 func=ip_rcv_options line=301 msg="source route ip option, drop"
Packet sniffers captured at the incoming interface will show ICMP traffic carrying a ‘Loose Source Route’ flag under the IP Header -> IP Options.
Ethernet II, Src: VMware_80:fb:11 (00:50:56:80:fb:11), Dst: 00:00:00_00:00:01 (00:00:00:00:00:01)
Internet Protocol Version 4, Src: 10.41.2.23, Dst: 0.0.35.120, Via: 10.3.10.13
Source Address: 10.41.2.23
Current Route: 10.3.10.13
Options: (8 bytes), Loose Source Route
IP Option - No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
IP Option - Loose Source Route (7 bytes)
Type: 131
1... .... = Copy on fragmentation: Yes
.00. .... = Class: Control (0)
...0 0011 = Number: Loose source route (3)
Length: 7
Pointer: 4
Destination Address: 0.0.35.120
This type of routing is not supported on NGFW firewalls and the firewall considers this as malicious/suspicious traffic. Consequently, this traffic is dropped by the FortiGate, which is by design.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.