How to disable "Source Routing"? The SANS standard has this as a checklist
The official item is "Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall."
It's my understanding that "Policy Routes" in FortiGate is the same thing as "Source Routing", as that's where you can route network traffic based on the source. This matches the term "source routing" and the definitions for it and LSRSR & SSRR that I look up online.
Can you even disable "Policy Routes"?
Does anyone else comply with SANS and have information on this?
What you need to study is Loose source routing and strict source routing concepts and almost no upstreams devices support datagrams with routing-details in the ip-header. They will drop this and not route the packets. I believe the fortigate and any NGFW also does this by design it's called cleanup strict checking
You can maybe test this behavior "traceroute -g "x.x.x.x a.a.a.a c.c.c.c". 220.127.116.11 and run a capture and diag debug flow on your firewall
And lastly I never heard of anybody trying to control this at the fw they do it at the edge-routers.