How to disable "Source Routing"? The SANS standard has this as a checklist

user504892 · ‎07-21-2021

The official item is "Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall."

It's my understanding that "Policy Routes" in FortiGate is the same thing as "Source Routing", as that's where you can route network traffic based on the source. This matches the term "source routing" and the definitions for it and LSRSR & SSRR that I look up online.

Can you even disable "Policy Routes"?

Does anyone else comply with SANS and have information on this?

emnoc · ‎07-21-2021

A few things come to mind;

PBR ( policy base routing ) is not source routing

What you need to study is Loose source routing and strict source routing concepts and almost no upstreams devices support datagrams with routing-details in the ip-header. They will drop this and not route the packets. I believe the fortigate and any NGFW also does this by design it's called cleanup strict checking

You can maybe test this behavior "traceroute -g "x.x.x.x a.a.a.a c.c.c.c". 1.1.1.1 and run a capture and diag debug flow on your firewall

And lastly I never heard of anybody trying to control this at the fw they do it at the edge-routers.

Ken Felix

PCNSE

NSE

StrongSwan

How to disable "Source Routing"? The SANS standard has this as a checklist

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website