ANTI SPOOFING enabled ? FORTIGATE | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Helpful ReplyHot!ANTI SPOOFING enabled ? FORTIGATE

Author Post Essentials Only Full Version
angie1996 Bronze Member Total Posts : 23 Scores: 0 Reward points: 0 Joined: 2020/11/24 18:24:16 Status: offline 2021/01/08 08:27:04 (permalink) 0 ANTI SPOOFING enabled ? FORTIGATE Hello,Our security auditor has asked that I generate screen shots proving that these firewalls use stateful inspection. They also want something showing uses anti-spoofing I have a fortigate 500d v.5.6, how do I know that it has ANTI SPOOFING and STATEFUL INSPECTION enabled? Will there be any command to see it? post edited by angie1996 - 2021/01/08 08:33:46 #1 List Solutions Only 7 Replies Related Threads
Toshi Esumi Expert Member Total Posts : 2407 Scores: 235 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 08:55:33 (permalink) 0 One of our customer had the same inquiry originated by their security auditor. Unless "asymroute" is enabled, stateful inspection is the base of all FW actions including the reverse path check on the FGTs as in the KB. https://kb.fortinet.com/k....do?externalID=FD30543 #2
emnoc Expert Member Total Posts : 5925 Scores: 396 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 12:58:30 (permalink) 0 Don't know why they want that but diag sys session list diag sys session stat Ken Felix PCNSE NSE StrongSwan #3
angie1996 Bronze Member Total Posts : 23 Scores: 0 Reward points: 0 Joined: 2020/11/24 18:24:16 Status: offline Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 13:39:13 (permalink) 0 hello, what are those commands for? #4
angie1996 Bronze Member Total Posts : 23 Scores: 0 Reward points: 0 Joined: 2020/11/24 18:24:16 Status: offline Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 13:48:30 (permalink) 0 hello, what are those commands for? #5
ede_pfau Expert Member Total Posts : 6421 Scores: 551 Reward points: 0 Joined: 2004/03/09 01:20:18 Location: Heidelberg, Germany Status: offline Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/09 04:04:37 (permalink) 0 Stateful firewall have to maintain a table of active sessions - "state" refers to the state of a session, being opened, used, closed. If you show the current session table with the commands supplied by @emnoc, you do in fact prove that this firewall is stateful. Proving that RPF is in place is more difficult. You can show that the FGT has a command to disable this feature, so indirectly show that the feature exists. Other than that, you can only demonstrate it by injecting traffic from an unknown IP source, which will be dropped silently by RPF. Then again, it's all in the data sheet. I have no idea how I could prove that the engine in my car has 6 cylinders but it's in the description of the model (and no, no ignition cables to count as it's a Diesel engine). Ede " Kernel panic: Aiee, killing interrupt handler!" #6
emnoc Expert Member Total Posts : 5925 Scores: 396 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/09 06:23:27 (permalink) ☄ Helpfulby ede_pfau 2021/01/09 10:38:34 0 I have no idea how I could prove that the engine in my car has 6 cylinders but it's in the description of the model (and no, no ignition cables to count as it's a Diesel engine). In your case you have diesel fuel line/rail .Just busting your chops :) But ede bought up the point the datasheet and the fact that you do not have asymmetrical routing enabled should be good enough. also to edit, if the auditor becomes pain, you can always make a configuration dump send it into tac and have them confirm 1> it's operating in stateful mode 2> and uRPF anti-spoof is enabled I had to do just that for a PCI auditor for a similar audit where they didn't take the word of 4 local engineers that our firewalls was acting like a firewall, smh. So they accepted the word of the TAC. Ken Felix post edited by emnoc - 2021/01/09 06:26:51 PCNSE NSE StrongSwan #7
Yurisk Gold Member Total Posts : 170 Scores: 32 Reward points: 0 Joined: 2011/12/04 03:30:01 Status: offline Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/10 00:01:00 (permalink) 5 (1) On CLI/CLI Applet run this command: show full system settings \| grep asym If output looks like this it means Stateful firewall is NOT disabled, i.e. enabled: set asymroute disable set asymroute-icmp disable set asymroute6 disable set asymroute6-icmp disable Yuri https://yurisk.info/ #8

Jump to:

© 2021 APG vNext Commercial Version 5.5