Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Disable unused protocols on interfaces

You can use the config system interface command to disable unused protocols that attackers may attempt to use to gather information about a FortiGate unit. Many of these protocols are disabled by default. Using the config system interface command you can see the current configuration of each of these options for the selected interface and then choose to disable them if required.

config system interface

edit <interface-name>

set dhcp-relay-service disable

set pptp-client disable

set arpforward disable

set broadcast-forward disable

set l2forward disable

set icmp-redirect disable

set vlanforward disable

set stpforward disable

set ident-accept disable

set ipmac disable

set netbios-forward disable

set security-mode none

set device-identification disable

set lldp-transmission disable

end

Option

Description

dhcp-relay-service

Disable the DHCP relay service.

pptp-client

Disable operating the interface as a PPTP client.

arpforward

Disable ARP forwarding.

broadcast-forward

Disable forwarding broadcast packets.

l2forward

Disable layer 2 forwarding.

icmp-redirect

Disable ICMP redirect.

vlanforward

Disable VLAN forwarding.

stpforward

Disable STP forwarding.

ident-accept

Disable authentication for this interface. The interface will not respond to a connection with an authentication prompt.

ipmac

Disable IP/MAC binding.

netbios-forward

Disable NETBIOS forwarding.

security-mode

Set to none to disable captive portal authentication. The interface will not respond to a connection with a captive portal.

device-identification

Disable device identification.

lldp-transmission

Disable link layer discovery (LLDP).

 

Disable unused protocols on interfaces

You can use the config system interface command to disable unused protocols that attackers may attempt to use to gather information about a FortiGate unit. Many of these protocols are disabled by default. Using the config system interface command you can see the current configuration of each of these options for the selected interface and then choose to disable them if required.

config system interface

edit <interface-name>

set dhcp-relay-service disable

set pptp-client disable

set arpforward disable

set broadcast-forward disable

set l2forward disable

set icmp-redirect disable

set vlanforward disable

set stpforward disable

set ident-accept disable

set ipmac disable

set netbios-forward disable

set security-mode none

set device-identification disable

set lldp-transmission disable

end

Option

Description

dhcp-relay-service

Disable the DHCP relay service.

pptp-client

Disable operating the interface as a PPTP client.

arpforward

Disable ARP forwarding.

broadcast-forward

Disable forwarding broadcast packets.

l2forward

Disable layer 2 forwarding.

icmp-redirect

Disable ICMP redirect.

vlanforward

Disable VLAN forwarding.

stpforward

Disable STP forwarding.

ident-accept

Disable authentication for this interface. The interface will not respond to a connection with an authentication prompt.

ipmac

Disable IP/MAC binding.

netbios-forward

Disable NETBIOS forwarding.

security-mode

Set to none to disable captive portal authentication. The interface will not respond to a connection with a captive portal.

device-identification

Disable device identification.

lldp-transmission

Disable link layer discovery (LLDP).