Introduction
Reverse Path Forwarding (RPF) is a critical security feature on FortiGate firewalls, designed to counter IP spoofing attacks by verifying the source of incoming packets. When RPF is enabled, FortiGate ensures that packets enter the firewall from the interface it would use to reach the source IP, effectively blocking illegitimate traffic. This article explores the concept of RPF, its configurations on FortiGate, and best practices to enhance network security.
Why is Reverse Path Forwarding (RPF) Important?
RPF ensures that traffic flowing into your network only comes from valid sources, protecting your infrastructure from malicious actors who might try to mimic legitimate IP addresses. Without RPF, a network is more vulnerable to IP spoofing attacks, which can lead to data breaches, network disruptions, or even complete denial-of-service.
How Reverse Path Forwarding Works on FortiGate
On FortiGate devices, RPF operates by evaluating the incoming packets’ source IP and the interface on which they enter. FortiGate uses its routing table to determine if the packet arrives at the expected interface. If the packet source and interface align with the routing table’s information, the packet is allowed through; otherwise, it is discarded. More information you can find at the link.
Strict vs. Loose RPF Modes
FortiGate offers two primary RPF modes:
- Strict RPF: The packet must enter through the exact interface that the FortiGate would use to route traffic back to the source IP. This mode is ideal for networks where routes are static and clearly defined, offering strong security but potentially impacting traffic where paths are redundant.
- Loose RPF: This mode allows packets as long as the source IP address is reachable via any interface on the FortiGate. Loose RPF provides flexibility, particularly in networks with dynamic routing, where redundancy is a priority, though it is slightly less strict in security.
Choosing the right mode depends on your network’s configuration and security needs.
Benefits of Using RPF on FortiGate
Enabling RPF provides several advantages that improve network security and operational efficiency:
- Mitigates Spoofing Attacks: By filtering out packets with falsified source addresses, RPF protects your network from IP spoofing attacks, which are often used in various forms of cyber-attacks.
- Enhances Network Integrity: Only legitimate traffic reaches your network, improving the quality of network logs and making it easier to analyse traffic patterns.
- Supports DDoS Defence: RPF is particularly useful in Distributed Denial of Service (DDoS) mitigation, where attackers use spoofed addresses to overwhelm network resources.
Configuring RPF on FortiGate
RPF checks for an active route back to the source IP through the incoming interface.
RPF Methods
config system settings
set strict-src-check [ disable | enable]
endset strict-src-check disable– Loose RPF (default)- Checks only for ethe existence of at least one active route back to the source using the incoming interface
set strict-src-check enable– Strict RPF- Checks that the best route back to the source uses the incoming interface
Two ways to disable RPF checking
- Enable asymmetric routing, which disables RPF checking system wide → Not recommended – reduces security!
- Disable RPF checking at the interface level → For firmware 6.2
config system settings
edit <interface>
set src-check [ disable | enable]
endSetting up RPF on FortiGate is straightforward, whether you prefer using the GUI or CLI.
Using the GUI: → For Firmware 6.2
- Log in to the FortiGate GUI.
- Navigate to Network > Interfaces.
- Select the interface where you want to enable RPF.
- In the Reverse Path Forwarding section, choose between Strict or Loose RPF.
- Save the changes and monitor the interface for any dropped packets.
Using the CLI → For Firmware 6.2
config system interface
edit <interface_name>
set rpf-check [strict|loose]
next
end
