Does FortiGate-80F have a protecting function against spoofing traffic such as MAC address spoofing, ARP spoofing, DHCP spoofing, and DNS spoofing?
If so, how can I check the function by commands?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
>> Mac Address spoofing/ DHCP spoofing prevention is more related to a layer2 Device. FortiGate is more likely a layer 3 and above device.
You can still use the combination of IP and MAC to prevent spoofing up to some extent on the FGT end. However, it should be done on the Switch end.
We can change the MAC address on FGT interfaces. The Fortinet Fortigate is capable of spoofing MAC addresses. It can send traffic from MAC addresses it learns, and it can respond to traffic using MAC addresses it learns. But this would require Admin access to FGT.
Please refer to the below documents:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPMAC-Binding/ta-p/214328
https://community.fortinet.com/t5/FortiGate/How-to-set-or-change-the-MAC-addresses-associated-with-a...
>> The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:
->Belong to a locally attached subnet (local interface), or
->Be in the routing of the FortiGate from another source (static route, RIP, OSPF, BGP)
If those conditions are not met, the FortiGate will silently drop the packet.
Please refer to the below article for more information.
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30543
Thank you for the quick reply.
These documents are for FortiSwitch.
Do you have any for FortiGate?
>> Mac Address spoofing/ DHCP spoofing prevention is more related to a layer2 Device. FortiGate is more likely a layer 3 and above device.
You can still use the combination of IP and MAC to prevent spoofing up to some extent on the FGT end. However, it should be done on the Switch end.
We can change the MAC address on FGT interfaces. The Fortinet Fortigate is capable of spoofing MAC addresses. It can send traffic from MAC addresses it learns, and it can respond to traffic using MAC addresses it learns. But this would require Admin access to FGT.
Please refer to the below documents:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPMAC-Binding/ta-p/214328
https://community.fortinet.com/t5/FortiGate/How-to-set-or-change-the-MAC-addresses-associated-with-a...
>> The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:
->Belong to a locally attached subnet (local interface), or
->Be in the routing of the FortiGate from another source (static route, RIP, OSPF, BGP)
If those conditions are not met, the FortiGate will silently drop the packet.
Please refer to the below article for more information.
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30543
Hi, Kaman,
The article regarding RPF is helpful for me.
Thank you very much.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.