Description
By default
the FortiGate will silently drop any packet with a possibly spoofed
source address. That is the RFF or anti-spoofing mechanism.
Due to this
feature IP packets are not be forwarded if its Source IP does not
either:
- belong to a locally attached subnet
(local interface), or
- be in the routing of the FortiGate from
another source (static route, RIP, OSPF, BGP)
Debug flow shows those drop as “reverse path check fail, drop”.
id=13
trace_id=27 msg="VD1 received a packet(proto=1,
10.11.130.70:1->10.35.252.4:8) from Int1."
id=13 trace_id=27 msg="allocate a new session-086bf186"
id=13 trace_id=27 msg="reverse path check fail, drop"
id=13 trace_id=27 msg="trace"
To help
in troubleshooting and finding incorrect route setting it is
possible to enable logging of any ICMP dropped packets.
The CLI commands are :
config log setting
set log-invalid-packet enable
end
With this option enabled a log message will be logged for "ping" dropped due to anti-spoofing.
Note that this option is not limited to anti-spoofing.
When enabled traffic log entry are generated for :
- all dropped ICMP packets
- all dropped invalid IP packets
It is a global parameter, independent of traffic log settings.
This setting is not rate limited and a large volume of invalid packets will generate numerous log messages and can affect device performances.
Related Articles
Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing
