- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- block broadcast packets from forwarding?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
block broadcast packets from forwarding?
I just noticed in the firewall logs of my FortiGate 100D (FortiOS 5.0.4) that - I think - it is forwarding broadcast packets from the internal interface out to the Internet.
I have a policy, right before the final deny all default, allowing any address on internal to be accepted for any service to any address on the outgoing interface to the Internet. In principle this is needed because our policy is to allow all internal users to access any service on the Internet.
But I see entries in the logs such as
Src 192.168.1.225, Dst 192.168.255.255, port UDP 57621
(apparently, this is Spotify. Sigh).
.. and also UDP port 17500 (Dropbox).
How do I set up a Policy rule on the FortiGate to block broadcasts from leaving the LAN?
I could make a rule to block any@internal -> 192.168.255.255@WAN ... but the only reason I know there are such broadcast packets (since our internal netmask is NOT 255.255.0.0!) is because I happened to notice these packets in the FortiGate log.
What I want is something more intelligent, such as a single option " Do not forward broadcast packets (unless there is an explicit matching allow rule)" .
Is that possible with FortiGate/FortiOS 5?
thanks,
-Jay
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the end of the attached link. The policy remains, but routing is altered to deny the traffic.
http://support.fortinet.com/forum/tm.asp?m=100686&p=1&tmode=1&smode=1
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm. I see how that would work. But should that be necessary?
Maybe I just never noticed it before, but I have the feeling that other firewalls don' t generally forward broadcast traffic. Why does FortiGate? Or is my feeling wrong?
thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe what you are seeing is a " new" feature of 5.0.x. I noticed that my test box was logging broadcast traffic however it is not actually forwarding it. 5.x has the concept of " Local" logs and " Forwarded" logs. To stop broadcast traffic logging, I used this:
config log setting
set local-in-deny disable
end
The default is enable.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have no clue about other firewalls, but I do know the FGT does, and attached was an easy solution to stop it. I do know that my ISP does block that traffic regardless if I do or not, but why burden them if I don' t have to.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IMHO broadcast forwarding is NOT enabled by default, at least not in 3.x or 4.x. There are 2 commands in the ' conf sys int' section, ' set l2forward' and another one (out of memory, I' m in the holidays right now). One has to enable it to allow Wake-on-LAN for example.
What Jay is seeing is logging only - in 4.x it' s ' extended-log' in the ' conf log filter' section, and in 5.x where chrylab posted. I noticed it got enabled when I upgraded from 4.2 to 4.3, filling up my memory log easily.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: ede_pfau IMHO broadcast forwarding is NOT enabled by default, at least not in 3.x or 4.x. There are 2 commands in the ' conf sys int' section, ' set l2forward' and another one (out of memory, I' m in the holidays right now). One has to enable it to allow Wake-on-LAN for example.Here I go mixing up posts again... I stand corrected one more time... Vacation in 3 days. Cannot wait!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m not sure I fully understand the last couple of postings.
I can confirm, by sniffing packets on the outside of the FortiGate FG100D (FortiOS 5.0.4) that it really is forwarding these broadcast packets outside of the network.
I do see a ' config system interface' ' edit <ifname>' ' set broadcast-forward disable' option. I' m trying it now on that external interface. Will report back.
thanks,
Jay
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... also a ' set netbios-forward disable' option.
I think these work as expected. However as we' ve also corrected the incorrectly configured host which had been creating the broadcasts, I no longer have an easy wway to be sure...
thanks for everyone' s help, and I hope these set broadcast-forward disable and set netbios-forward disable commands prove useful for someone else too.
-Jay
Related Posts
- Multicast Flooding Issue with 100+ Apple... 249 Views
- Since adding fortigate into network Unifi... 233 Views
- Directed Broadcast 249 Views
- Bad ISP with Misconfigured DHCP -... 582 Views
- Problem working with VLAN on Fortigate... 1596 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.