Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
user504892
New Contributor

How to disable "Source Routing"? The SANS standard has this as a checklist

The official item is "Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall."  

  

It's my understanding that "Policy Routes" in FortiGate is the same thing as "Source Routing", as that's where you can route network traffic based on the source. This matches the term "source routing" and the definitions for it and LSRSR & SSRR that I look up online.

Can you even disable "Policy Routes"? 

 

Does anyone else comply with SANS and have information on this?

1 REPLY 1
emnoc
Esteemed Contributor III

A  few things come to mind;

 

PBR ( policy base routing  ) is not source routing 

 

What you need to study is Loose source routing  and strict source routing concepts and almost no upstreams devices support datagrams with routing-details in the ip-header. They will drop this and not route the packets. I believe the fortigate and any NGFW also does this by design it's called cleanup strict checking 

 

You can maybe test this behavior "traceroute -g "x.x.x.x a.a.a.a c.c.c.c". 1.1.1.1 and run a capture and diag debug flow on your firewall 

 

And lastly I never heard of anybody trying to control this at the fw they do it at the edge-routers.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors