Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
j0ebeer
New Contributor

Drop IPv6

Hello,

 

I have Comcast as my ISP and am seeing a large amount of "reverse path check failed, drop" messages.  I believe it because there is a rogue device on the Comcast side that is spewing IPv6 at the WAN interface.  I understand it is due to anti-spoofing  but was hoping there is a way to just drop it.  The exact log message looks like this:

 

"10 27 2015 07:30:29 10.0.1.1 <LOC7:WARN> date=2015-10-27 time=07:25:01 devname=FortiGate devid=FWF60D logid=0000000006 type=traffic subtype=forward level=warning vd=root srcip=2001:558:4082:38::1 srcname="2001:558:4082:38::1" srcintf="wan1" dstip=ff02::1:ff1a:4566 dstname="ff02::1:ff1a:4566" dstintf=unknown-0 proto=58 action=deny policyid=0 dstcountry="Reserved" srccountry="United States" trandisp=noop service="icmp6/135/0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="reverse path check failed, drop"

 

Is there a way to drop this message without logging it?  I want to log other invalid IPv4 packets but just not this IPv6 stuff.  Any ideas?

 

TIA, Joe

1 REPLY 1
emnoc
Esteemed Contributor III

A suggestion, can you write a local-in policy6 for this source or dest { ff02::1:ff1a:4566 } and drop it?

 

(e.g assuming you have a group with all of the offenders listed  and the host added in )

 

config firewall address6

   edit badhost1

        set ip6 2001:558:4082:38::1/64

end

 

config firewall addrgrp6

     edit OFFENDER_GROUP

        set member badhost1

        set comment " my bad guy lists"

        set color 32

    end

 

and

 

config firewall  local-in-policy6 edit 0  set srcaddr OFFENDER_GROUP  set dstaddr all  set action deny  set service ALL  set schedule always  set comment " drop these src ipv6 address SOCPUPPETS" end

 

I believe traffic dropped at the  local-in-policy6 would overrride any logging. Test this behavior and see if it meets your goal and requirements.

 

 

What is the ipv6 address on your WAN  & LAN interfaces? And you do know that's a ipv6 multicast dst_address ?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors