Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nanashi
New Contributor III

Does FortiGate-80F have protection against spoofing traffic?

Does FortiGate-80F have a protecting function against spoofing traffic such as MAC address spoofing, ARP spoofing, DHCP spoofing, and DNS spoofing?

If so, how can I check the function by commands?

1 Solution
kaman
Staff
Staff

>> Mac Address spoofing/ DHCP spoofing prevention is more related to a layer2 Device. FortiGate is more likely a layer 3 and above device.
You can still use the combination of IP and MAC to prevent spoofing up to some extent on the FGT end. However, it should be done on the Switch end.

We can change the MAC address on FGT interfaces. The Fortinet Fortigate is capable of spoofing MAC addresses. It can send traffic from MAC addresses it learns, and it can respond to traffic using MAC addresses it learns. But this would require Admin access to FGT.
Please refer to the below documents:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPMAC-Binding/ta-p/214328
https://community.fortinet.com/t5/FortiGate/How-to-set-or-change-the-MAC-addresses-associated-with-a...

>> The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:

->Belong to a locally attached subnet (local interface), or
->Be in the routing of the FortiGate from another source (static route, RIP, OSPF, BGP)

If those conditions are not met, the FortiGate will silently drop the packet.

Please refer to the below article for more information.
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30543

View solution in original post

4 REPLIES 4
nanashi
New Contributor III

Thank you for the quick reply.

 

These documents are for FortiSwitch.

Do you have any for FortiGate?

kaman
Staff
Staff

>> Mac Address spoofing/ DHCP spoofing prevention is more related to a layer2 Device. FortiGate is more likely a layer 3 and above device.
You can still use the combination of IP and MAC to prevent spoofing up to some extent on the FGT end. However, it should be done on the Switch end.

We can change the MAC address on FGT interfaces. The Fortinet Fortigate is capable of spoofing MAC addresses. It can send traffic from MAC addresses it learns, and it can respond to traffic using MAC addresses it learns. But this would require Admin access to FGT.
Please refer to the below documents:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPMAC-Binding/ta-p/214328
https://community.fortinet.com/t5/FortiGate/How-to-set-or-change-the-MAC-addresses-associated-with-a...

>> The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:

->Belong to a locally attached subnet (local interface), or
->Be in the routing of the FortiGate from another source (static route, RIP, OSPF, BGP)

If those conditions are not met, the FortiGate will silently drop the packet.

Please refer to the below article for more information.
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30543

nanashi
New Contributor III

Hi, Kaman,

 

The article regarding RPF is helpful for me.
Thank you very much.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors