Fortinet black logo

Administration Guide

Unicast reverse-path forwarding (uRPF)

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:626302
Download PDF

Unicast reverse-path forwarding (uRPF)

RPF, also called anti-spoofing, prevents an IP packet from being forwarded if its source IP address does not belong to a locally attached subnet (local interface) or is not part of the routing between the FortiSwitch unit and another source (such as a static route, RIP, OSPF, or BGP).

In unicast RPF, the router not only looks up the destination information but it also looks up the source information to ensure that it exists. If no source is found, that packet is dropped because the router assumes it is an error or an attack on the network.

There are two uRPF modes:

  • Strict—The packet must be received on the same interface that the router uses to forward the return packet. In this mode, asymmetric routing paths in the network might cause legitimate traffic to be dropped.
  • Loose—The routing table must include the source IP address of the packet. If you disable the src-check-allow-default option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-check-allow-default option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

By default, uRPF is disabled. You must enable it on each interface that you want protected.

config system interface

edit <interface_name>

set src-check {disable | loose | strict}

set src-check-allow-default {enable | disable} // This option is available only when src-check is set to loose.

end

Unicast reverse-path forwarding (uRPF)

RPF, also called anti-spoofing, prevents an IP packet from being forwarded if its source IP address does not belong to a locally attached subnet (local interface) or is not part of the routing between the FortiSwitch unit and another source (such as a static route, RIP, OSPF, or BGP).

In unicast RPF, the router not only looks up the destination information but it also looks up the source information to ensure that it exists. If no source is found, that packet is dropped because the router assumes it is an error or an attack on the network.

There are two uRPF modes:

  • Strict—The packet must be received on the same interface that the router uses to forward the return packet. In this mode, asymmetric routing paths in the network might cause legitimate traffic to be dropped.
  • Loose—The routing table must include the source IP address of the packet. If you disable the src-check-allow-default option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-check-allow-default option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

By default, uRPF is disabled. You must enable it on each interface that you want protected.

config system interface

edit <interface_name>

set src-check {disable | loose | strict}

set src-check-allow-default {enable | disable} // This option is available only when src-check is set to loose.

end