Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Generating Evidence for PCI

Hey folks,

We're using several 40C and 100D Fortiguards running 5.0.9.

Our security auditor has asked that I generate screen shots proving that these firewalls use stateful inspection.

They also want something showing uses anti-spoofing, blocking forged IP addresses from entering the network.

I'm trying to find places in the configuration that depict this.  I have read-only access.



Sounds like a joke. It's all in the datasheets and documentation. But if you need to demonstrate...


First, statefulness:

Actually the fact is so evident that it's not hard to prove: make a screenshot of the session table. In FortiOS v5.2 use the System > FortiView > All Sessions tab. Statefulness implies the concept of a session.


Anti-spoofing is deeply buried in FortiOS and sometimes the cause of very persistent connection troubles. This is one way to show that it is working, using the CLI (Console widget):

a) set up traceing the traffic on the internal port on the FGT, prepare to save the screen output

b) provoke unsolicited traffic in your LAN


For a):

diag debug enable

diag deb flow show console enable diag deb flow filter saddr <IP address of originating host> diag deb flow filter proto 1 # for ICMP or ping diag deb flow trace start 10 # record 10 events ... now create some unsolicited traffic from the specified host diag deb flow trace stop

One example of "fake IP" traffic would be to use a host which has a source IP address unknown within the LAN. Avoid public IPs though. Example would be or (if these are nowhere used on your LAN). Then "ping" from that host. The FGT will discard the traffic because of "reverse path check fail" which is a synonym for anti-spoofing.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Esteemed Contributor III

or setup a route on a /32 mask and source that in a ping inbound. Traffic would be dropped do to uRPF-checks.


fwiw; I never heard of any serious auditors that would ask for this informations.






PCNSE NSE StrongSwan
New Contributor

Thanks, everyone.

I agree with your sentiments...


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors