Fortinet black logo

Administration Guide

Configuring security checks

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:296913
Download PDF

Configuring security checks

You can enable various security checks for incoming TCP/UDP packets. The packet is dropped if the system detects the specified condition. Use the appropriate syntax for your FortiSwitch model:

Syntax (for model FS-112D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

Variable

Description

Default

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

disable

tcp-udp-port-zero

TCP or UDP packet has source or destination port set to zero.

disable

tcp_flag_zero

TCP packet with all flags set to zero.

disable

tcp_flag_FUP

TCP packet with FIN, URG and PSH flag set.

disable

tcp_flag_SF

TCP packet with SYN and FIN flag set.

disable

tcp_flag_SR

TCP packet with SYN and RST flag set.

disable

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

disable

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.

disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

Variable

Description

Default

sip-eq-dip

TCP packet with source IP equal to destination IP.

disable

tcp_flag

DoS attack checking for TCP flags.

disable

tcp-port-eq

TCP packet with source and destination TCP port equal.

disable

tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.

disable

tcp-flag-SF

TCP packet with SYN and FIN flag set.

disable

v4-first-frag

DoS attack checking for IPv4 first fragment.

disable

udp-port-eq

IP packet with source and destination UDP port equal.

disable

tcp-hdr-partial

TCP packet with partial header.

disable

macsa-eq-macda

Packet with source MAC equal to destination MAC.

disable

Configuring security checks

You can enable various security checks for incoming TCP/UDP packets. The packet is dropped if the system detects the specified condition. Use the appropriate syntax for your FortiSwitch model:

Syntax (for model FS-112D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

Variable

Description

Default

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

disable

tcp-udp-port-zero

TCP or UDP packet has source or destination port set to zero.

disable

tcp_flag_zero

TCP packet with all flags set to zero.

disable

tcp_flag_FUP

TCP packet with FIN, URG and PSH flag set.

disable

tcp_flag_SF

TCP packet with SYN and FIN flag set.

disable

tcp_flag_SR

TCP packet with SYN and RST flag set.

disable

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

disable

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.

disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

Variable

Description

Default

sip-eq-dip

TCP packet with source IP equal to destination IP.

disable

tcp_flag

DoS attack checking for TCP flags.

disable

tcp-port-eq

TCP packet with source and destination TCP port equal.

disable

tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.

disable

tcp-flag-SF

TCP packet with SYN and FIN flag set.

disable

v4-first-frag

DoS attack checking for IPv4 first fragment.

disable

udp-port-eq

IP packet with source and destination UDP port equal.

disable

tcp-hdr-partial

TCP packet with partial header.

disable

macsa-eq-macda

Packet with source MAC equal to destination MAC.

disable