With the RPF function the Firewall checks if the packet comes in the firewall on the correct interface and does not try to spoof the address.
For example in a DMZ network a packet coming in the dmz interface of the firewall and has a source IP from the internal network is spoofed. The firewall should not allow it.
RPF is enabled by default and cannot be disabled, but can be set to strict. Strict RPF is disabled by default.
If it is set to loose it does not look for best match route only if there is a route. With strict it checks the Forwarding Information Base (FIB).
If it is set to strict it look for best match route. for more info see RFC 3704.
Used Version: v4.0,build0521,120313 (MR3 Patch 6)
firewall (root) # show full-configuration system settings
config system settings
set comments ''
set opmode nat
set bfd disable
set utf8-spam-tagging enable
set wccp-cache-engine disable
unset vpn-stats-log
set vpn-stats-period 0
set v4-ecmp-mode usage-based
set asymroute disable
set strict-src-check disable ----------> RPF strict
set asymroute6 disable
set per-ip-bandwidth enable
set sip-helper enable
set sip-nat-trace enable
set status enable
set sip-tcp-port 5060
set sip-udp-port 5060
set sccp-port 2000
set multicast-forward disable
set multicast-ttl-notchange disable
set allow-subnet-overlap disable
set ecmp-max-paths 10
end
|
RPF or Antispoofing can block traffic if we have asymetric routing on the firewall. This can be solved, see the articel.
RPF and asymetric routing issue: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD30543
that’s it..
itsecworks 
Posted on June 19, 2012
0