RPF – AKA Antispoofing on Fortigate

Posted on June 19, 2012


With the RPF function the Firewall checks if the packet comes in the firewall on the correct interface and does not try to spoof the address.
For example in a DMZ network a packet coming in the dmz interface of the firewall and has a source IP from the internal network is spoofed. The firewall should not allow it.
RPF is enabled by default and cannot be disabled, but can be set to strict. Strict RPF is disabled by default.

If it is set to loose it does not look for best match route only if there is a route. With strict it checks the Forwarding Information Base (FIB).
If it is set to strict it look for best match route. for more info see RFC 3704.

Used Version: v4.0,build0521,120313 (MR3 Patch 6)

firewall (root) # show full-configuration system settings
config system settings
    set comments ''
    set opmode nat
    set bfd disable
    set utf8-spam-tagging enable
    set wccp-cache-engine disable
    unset vpn-stats-log
    set vpn-stats-period 0
    set v4-ecmp-mode usage-based
    set asymroute disable
    set strict-src-check disable ----------> RPF strict
    set asymroute6 disable
    set per-ip-bandwidth enable
    set sip-helper enable
    set sip-nat-trace enable
    set status enable
    set sip-tcp-port 5060
    set sip-udp-port 5060
    set sccp-port 2000
    set multicast-forward disable
    set multicast-ttl-notchange disable
    set allow-subnet-overlap disable
    set ecmp-max-paths 10

RPF or Antispoofing can block traffic if we have asymetric routing on the firewall. This can be solved, see the articel.
RPF and asymetric routing issue: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD30543

that’s it..