FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lsaroukhani
Staff
Staff
Article Id 330809
Description

 

This article describes the reasons why FortiGate drops packets which carry the flag 'Loose Source Route' inside the IP Header.

 

Scope

 

FortiGate.

 

Solution

 

When end devices send ICMP traffic through FortiGate with the 'Loose source route' flag, FortiGate will drop them with the error 'source route ip option, drop'.

Enabling iprope and function-name options when performing debug flow will show that the packet is dropped by FortiGate.

 

2022-08-22 10:27:26 id=20085 trace_id=50831 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 10.41.2.22:30754-10.3.10.13:2048) from port3. type=8, code=0, id=30754, seq=671."

2022-08-22 10:27:26 id=20085 trace_id=50831 func=init_ip_session_common line=5814 msg="allocate a new session-5550a918"

2022-08-22 10:27:26 id=20085 trace_id=50831 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.123.8 via port1"

2022-08-22 10:27:26 id=20085 trace_id=50831 func=ip_rcv_options line=301 msg="source route ip option, drop"

 
Packet sniffers captured at the incoming interface will show ICMP traffic carrying a ‘Loose Source Route’ flag under the IP Header -> IP Options.
 

Ethernet II, Src: VMware_80:fb:11 (00:50:56:80:fb:11), Dst: 00:00:00_00:00:01 (00:00:00:00:00:01)

Internet Protocol Version 4, Src: 10.41.2.23, Dst: 0.0.35.120, Via: 10.3.10.13 

Source Address: 10.41.2.23

Current Route: 10.3.10.13

Options: (8 bytes), Loose Source Route

IP Option - No-Operation (NOP)

Type: 1

0... .... = Copy on fragmentation: No

.00. .... = Class: Control (0)

...0 0001 = Number: No-Operation (NOP) (1)

IP Option - Loose Source Route (7 bytes)

Type: 131

1... .... = Copy on fragmentation: Yes

.00. .... = Class: Control (0)

...0 0011 = Number: Loose source route (3)

Length: 7

Pointer: 4

Destination Address: 0.0.35.120

 

This type of routing is not supported on NGFW firewalls and the firewall considers this as malicious/suspicious traffic. Consequently, this traffic is dropped by the FortiGate, which is by design.