Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sims
New Contributor III

Created on ‎07-03-2019 01:09 AM

rpf

Hi,

What does it mean by below 

  The rpf is only  carried out  on : the first packet in the session , not on a reply  The next packet in the original direction after a route change , not on a reply    And how to check if there was any spoofing attacks ?     Thanks
2433
0 Kudos
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

Created on ‎07-03-2019 02:01 AM

When there is no session already, the first packet is examined if there is a valid route to the source network. After that has been approved you don't need to re-check reply traffic or further traffic from that source as there must be a valid route. If there is not, the session will not be established and the packet be dropped.

 

Same for route changes when there are sessions going on: first packet is used to do the RPF check, session is dropped or continues.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1587
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to ede_pfau

Created on ‎07-03-2019 02:02 AM

Spoofing attacks could be found in the logs ("RPF check failed, dropped"). But as they are numerous usually, you don't look for them unless you suspect a false positive (i.e., you want that traffic but it doesn't come through).

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1587
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.