Helpful ReplyHot!ANTI SPOOFING enabled ? FORTIGATE

Author
angie1996
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/24 18:24:16
  • Status: offline
2021/01/08 08:27:04 (permalink)
0

ANTI SPOOFING enabled ? FORTIGATE

Hello,Our security auditor has asked that I generate screen shots proving that these firewalls use stateful inspection.
They also want something showing uses anti-spoofing
 
I have a fortigate 500d v.5.6, how do I know that it has ANTI SPOOFING and STATEFUL INSPECTION enabled? Will there be any command to see it?
 
 
post edited by angie1996 - 2021/01/08 08:33:46
#1
Toshi Esumi
Expert Member
  • Total Posts : 2407
  • Scores: 235
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 08:55:33 (permalink)
0
One of our customer had the same inquiry originated by their security auditor. Unless "asymroute" is enabled, stateful inspection is the base of all FW actions including the reverse path check on the FGTs as in the KB.
https://kb.fortinet.com/k....do?externalID=FD30543
#2
emnoc
Expert Member
  • Total Posts : 5925
  • Scores: 396
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 12:58:30 (permalink)
0
Don't know why they want that but 
 
       diag sys session list
       diag sys session stat
 
Ken Felix
 
 

PCNSE 
NSE 
StrongSwan  
#3
angie1996
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/24 18:24:16
  • Status: offline
Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 13:39:13 (permalink)
0
hello, what are those commands for?
#4
angie1996
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/24 18:24:16
  • Status: offline
Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/08 13:48:30 (permalink)
0
hello, what are those commands for?
#5
ede_pfau
Expert Member
  • Total Posts : 6421
  • Scores: 551
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/09 04:04:37 (permalink)
0
Stateful firewall have to maintain a table of active sessions - "state" refers to the state of a session, being opened, used, closed. If you show the current session table with the commands supplied by @emnoc, you do in fact prove that this firewall is stateful.
Proving that RPF is in place is more difficult. You can show that the FGT has a command to disable this feature, so indirectly show that the feature exists. Other than that, you can only demonstrate it by injecting traffic from an unknown IP source, which will be dropped silently by RPF.
Then again, it's all in the data sheet. I have no idea how I could *prove* that the engine in my car has 6 cylinders but it's in the description of the model (and no, no ignition cables to count as it's a Diesel engine).

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#6
emnoc
Expert Member
  • Total Posts : 5925
  • Scores: 396
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/09 06:23:27 (permalink) ☄ Helpfulby ede_pfau 2021/01/09 10:38:34
0

I have no idea how I could *prove* that the engine in my car has 6 cylinders but it's in the description of the model (and no, no ignition cables to count as it's a Diesel engine).

 
In your case you have  diesel fuel line/rail .Just busting your chops :)
 
But ede bought up the point the datasheet and the fact that you do not have asymmetrical routing enabled should be good enough.
 
also to edit, if the auditor becomes pain, you can always make a configuration dump send it into tac and have them confirm 1> it's operating in stateful mode 2> and uRPF anti-spoof is enabled
 
I had to do just that for a PCI auditor for a similar audit where they didn't take the word of 4  local engineers that our firewalls was acting like a firewall, smh.
 
So they accepted the word of the TAC.
 
Ken Felix
post edited by emnoc - 2021/01/09 06:26:51

PCNSE 
NSE 
StrongSwan  
#7
Yurisk
Gold Member
  • Total Posts : 170
  • Scores: 32
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: offline
Re: ANTI SPOOFING enabled ? FORTIGATE 2021/01/10 00:01:00 (permalink)
5 (1)
On CLI/CLI Applet run this command:
show full system settings | grep  asym
 
If output looks like this it means Stateful firewall is NOT disabled, i.e. enabled:
 
set asymroute disable
set asymroute-icmp disable
set asymroute6 disable
set asymroute6-icmp disable
 
#8
Jump to:
© 2021 APG vNext Commercial Version 5.5