Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Configuring security checks

You can enable various security checks for incoming TCP/UDP packets. The packet is dropped if it matches one of the security rules that have been enabled. Use the appropriate syntax for your FortiSwitch model:

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

set allow-mcast-sa {enable | disable}

end

Variable

Description

Default

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

disable

tcp-udp-port-zero

TCP or UDP packet has the source or destination port set to zero.

disable

tcp_flag_zero

TCP packet with all flags set to zero.

disable

tcp_flag_FUP

TCP packet with FIN, URG and PSH flags set.

disable

tcp_flag_SF

TCP packet with SYN and FIN flags set.

disable

tcp_flag_SR

TCP packet with SYN and RST flags set.

disable

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

disable

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

Syntax (for FS-1xxE and FS-1xxF)

config switch security-feature

set tcp-flag-zero {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set tcp-flag-SR {enable | disable}

set arp-mac-mismatch {enable | disable}

set macsa-eq-macda {enable | disable}

set sip-eq-dip {enable | disable}

set tcp-port-eq {enable | disable}

set udp-port-eq {enable | disable}

set ip-pod {enable | disable}

set icmp-frag {enable | disable}

set tcp-frag-off-min {enable | disable}

set tcp-syn-sp-less-1024 {enable | disable}

set invalid-ipv4-hdr-len {enable | disable}

set gratuitous-arp {enable | disable}

end

Variable

Description

Default

tcp-flag-zero TCP packet with all flags set to zero. disable
tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set.

disable
tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable
tcp-flag-SR TCP packet with SYN and RST flags set. disable
arp-mac-mismatch ARP packet with MAC source address mismatch between the MAC header and the ARP packet payload. disable
macsa-eq-macda Packet with source MAC address equal to the destination MAC address. disable
sip-eq-dip TCP packet with source IP address equal to the destination IP address. disable
tcp-port-eq TCP packet with the same source and destination TCP port. disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

ip-pod

The IPv4/IPv6 packet length is larger than 64 kB.

disable

icmp-frag

Fragmented ICMP packet.

disable

tcp-frag-off-min

TCP non-initial fragments carry the TCP header.

disable

tcp-syn-sp-less-1024

TCP SYN packet with a source port less than 1024.

disable

invalid-ipv4-hdr-len

IPv4 packet with a header length greater than the total length.

NOTE: This command is available only on the FS-124F, FS-124F-FPOE, FS-124F-POE, FS-148F, FS-148F-FPOE, and FS-148F-POE models.

disable

gratuitous-arp

Gratuitous ARP packet.

NOTE: This command available only on the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-108F, FS-108F-FPOE, FS-108F-POE, FS-124E, FS-124E-FPOE, FS-124E-POE, FS-148E, and FS-148E-POE models.

disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

set allow-mcast-sa {enable | disable}

set allow-sa-mac-all-zero {enable | disable}

end

Variable

Description

Default

sip-eq-dip

TCP packet with the same source IP address and destination IP address.

disable

tcp-flag

DoS attack checking for TCP flags.

disable

tcp-port-eq

TCP packet with the same source and destination TCP port.

disable

tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.

disable

tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable

v4-first-frag

DoS attack checking for IPv4 first fragment.

disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

tcp-hdr-partial

TCP packet with partial header.

disable

macsa-eq-macda

Packet with the same source MAC address and destination MAC address.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

allow-sa-mac-all-zero

Ethernet packet whose source MAC address is all zeros.

disable

Configuring security checks

You can enable various security checks for incoming TCP/UDP packets. The packet is dropped if it matches one of the security rules that have been enabled. Use the appropriate syntax for your FortiSwitch model:

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

set allow-mcast-sa {enable | disable}

end

Variable

Description

Default

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

disable

tcp-udp-port-zero

TCP or UDP packet has the source or destination port set to zero.

disable

tcp_flag_zero

TCP packet with all flags set to zero.

disable

tcp_flag_FUP

TCP packet with FIN, URG and PSH flags set.

disable

tcp_flag_SF

TCP packet with SYN and FIN flags set.

disable

tcp_flag_SR

TCP packet with SYN and RST flags set.

disable

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

disable

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

Syntax (for FS-1xxE and FS-1xxF)

config switch security-feature

set tcp-flag-zero {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set tcp-flag-SR {enable | disable}

set arp-mac-mismatch {enable | disable}

set macsa-eq-macda {enable | disable}

set sip-eq-dip {enable | disable}

set tcp-port-eq {enable | disable}

set udp-port-eq {enable | disable}

set ip-pod {enable | disable}

set icmp-frag {enable | disable}

set tcp-frag-off-min {enable | disable}

set tcp-syn-sp-less-1024 {enable | disable}

set invalid-ipv4-hdr-len {enable | disable}

set gratuitous-arp {enable | disable}

end

Variable

Description

Default

tcp-flag-zero TCP packet with all flags set to zero. disable
tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set.

disable
tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable
tcp-flag-SR TCP packet with SYN and RST flags set. disable
arp-mac-mismatch ARP packet with MAC source address mismatch between the MAC header and the ARP packet payload. disable
macsa-eq-macda Packet with source MAC address equal to the destination MAC address. disable
sip-eq-dip TCP packet with source IP address equal to the destination IP address. disable
tcp-port-eq TCP packet with the same source and destination TCP port. disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

ip-pod

The IPv4/IPv6 packet length is larger than 64 kB.

disable

icmp-frag

Fragmented ICMP packet.

disable

tcp-frag-off-min

TCP non-initial fragments carry the TCP header.

disable

tcp-syn-sp-less-1024

TCP SYN packet with a source port less than 1024.

disable

invalid-ipv4-hdr-len

IPv4 packet with a header length greater than the total length.

NOTE: This command is available only on the FS-124F, FS-124F-FPOE, FS-124F-POE, FS-148F, FS-148F-FPOE, and FS-148F-POE models.

disable

gratuitous-arp

Gratuitous ARP packet.

NOTE: This command available only on the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-108F, FS-108F-FPOE, FS-108F-POE, FS-124E, FS-124E-FPOE, FS-124E-POE, FS-148E, and FS-148E-POE models.

disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

set allow-mcast-sa {enable | disable}

set allow-sa-mac-all-zero {enable | disable}

end

Variable

Description

Default

sip-eq-dip

TCP packet with the same source IP address and destination IP address.

disable

tcp-flag

DoS attack checking for TCP flags.

disable

tcp-port-eq

TCP packet with the same source and destination TCP port.

disable

tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.

disable

tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable

v4-first-frag

DoS attack checking for IPv4 first fragment.

disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

tcp-hdr-partial

TCP packet with partial header.

disable

macsa-eq-macda

Packet with the same source MAC address and destination MAC address.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

allow-sa-mac-all-zero

Ethernet packet whose source MAC address is all zeros.

disable