Configuring security checks

You can enable various security checks for incoming TCP/UDP packets. The packet is dropped if it matches one of the security rules that have been enabled. Use the appropriate syntax for your FortiSwitch model:

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)
Syntax (for FS-1xxE and FS-1xxF)
Syntax (for all other FortiSwitch models)

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

set allow-mcast-sa {enable | disable}

end

Variable	Description	Default
tcp-syn-data	TCP SYN packet contains additional data (possible DoS attack).	disable
tcp-udp-port-zero	TCP or UDP packet has the source or destination port set to zero.	disable
tcp_flag_zero	TCP packet with all flags set to zero.	disable
tcp_flag_FUP	TCP packet with FIN, URG and PSH flags set.	disable
tcp_flag_SF	TCP packet with SYN and FIN flags set.	disable
tcp_flag_SR	TCP packet with SYN and RST flags set.	disable
tcp_frag_ipv4_icmp	Fragmented ICMPv4 packet.	disable
tcp_arp_mac_mismatch	ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.	disable
allow-mcast-sa	Ethernet packet whose source MAC address is multicast.	disable

Syntax (for FS-1xxE and FS-1xxF)

config switch security-feature

set tcp-flag-zero {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set tcp-flag-SR {enable | disable}

set arp-mac-mismatch {enable | disable}

set macsa-eq-macda {enable | disable}

set sip-eq-dip {enable | disable}

set tcp-port-eq {enable | disable}

set udp-port-eq {enable | disable}

set ip-pod {enable | disable}

set icmp-frag {enable | disable}

set tcp-frag-off-min {enable | disable}

set tcp-syn-sp-less-1024 {enable | disable}

set invalid-ipv4-hdr-len {enable | disable}

set gratuitous-arp {enable | disable}

end

Variable	Description	Default
tcp-flag-zero	TCP packet with all flags set to zero.	disable
tcp-flag-FUP	TCP packet with FIN, URG, and PSH flags set.	disable
tcp-flag-SF	TCP packet with SYN and FIN flags set.	disable
tcp-flag-SR	TCP packet with SYN and RST flags set.	disable
arp-mac-mismatch	ARP packet with MAC source address mismatch between the MAC header and the ARP packet payload.	disable
macsa-eq-macda	Packet with source MAC address equal to the destination MAC address.	disable
sip-eq-dip	TCP packet with source IP address equal to the destination IP address.	disable
tcp-port-eq	TCP packet with the same source and destination TCP port.	disable
udp-port-eq	IP packet with the same source and destination UDP port.	disable
ip-pod	The IPv4/IPv6 packet length is larger than 64 kB.	disable
icmp-frag	Fragmented ICMP packet.	disable
tcp-frag-off-min	TCP non-initial fragments carry the TCP header.	disable
tcp-syn-sp-less-1024	TCP SYN packet with a source port less than 1024.	disable
invalid-ipv4-hdr-len	IPv4 packet with a header length greater than the total length. NOTE: This command is available only on the FS-124F, FS-124F-FPOE, FS-124F-POE, FS-148F, FS-148F-FPOE, and FS-148F-POE models.	disable
gratuitous-arp	Gratuitous ARP packet. NOTE: This command available only on the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-108F, FS-108F-FPOE, FS-108F-POE, FS-124E, FS-124E-FPOE, FS-124E-POE, FS-148E, and FS-148E-POE models.	disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

set allow-mcast-sa {enable | disable}

set allow-sa-mac-all-zero {enable | disable}

end

Variable	Description	Default
sip-eq-dip	TCP packet with the same source IP address and destination IP address.	disable
tcp-flag	DoS attack checking for TCP flags.	disable
tcp-port-eq	TCP packet with the same source and destination TCP port.	disable
tcp-flag-FUP	TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.	disable
tcp-flag-SF	TCP packet with SYN and FIN flags set.	disable
v4-first-frag	DoS attack checking for IPv4 first fragment.	disable
udp-port-eq	IP packet with the same source and destination UDP port.	disable
tcp-hdr-partial	TCP packet with partial header.	disable
macsa-eq-macda	Packet with the same source MAC address and destination MAC address.	disable
allow-mcast-sa	Ethernet packet whose source MAC address is multicast.	disable
allow-sa-mac-all-zero	Ethernet packet whose source MAC address is all zeros.	disable

Configuring security checks

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)
Syntax (for FS-1xxE and FS-1xxF)
Syntax (for all other FortiSwitch models)

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

set allow-mcast-sa {enable | disable}

end

Variable	Description	Default
tcp-syn-data	TCP SYN packet contains additional data (possible DoS attack).	disable
tcp-udp-port-zero	TCP or UDP packet has the source or destination port set to zero.	disable
tcp_flag_zero	TCP packet with all flags set to zero.	disable
tcp_flag_FUP	TCP packet with FIN, URG and PSH flags set.	disable
tcp_flag_SF	TCP packet with SYN and FIN flags set.	disable
tcp_flag_SR	TCP packet with SYN and RST flags set.	disable
tcp_frag_ipv4_icmp	Fragmented ICMPv4 packet.	disable
tcp_arp_mac_mismatch	ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.	disable
allow-mcast-sa	Ethernet packet whose source MAC address is multicast.	disable

Syntax (for FS-1xxE and FS-1xxF)

config switch security-feature

set tcp-flag-zero {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set tcp-flag-SR {enable | disable}

set arp-mac-mismatch {enable | disable}

set macsa-eq-macda {enable | disable}

set sip-eq-dip {enable | disable}

set tcp-port-eq {enable | disable}

set udp-port-eq {enable | disable}

set ip-pod {enable | disable}

set icmp-frag {enable | disable}

set tcp-frag-off-min {enable | disable}

set tcp-syn-sp-less-1024 {enable | disable}

set invalid-ipv4-hdr-len {enable | disable}

set gratuitous-arp {enable | disable}

end

Variable	Description	Default
tcp-flag-zero	TCP packet with all flags set to zero.	disable
tcp-flag-FUP	TCP packet with FIN, URG, and PSH flags set.	disable
tcp-flag-SF	TCP packet with SYN and FIN flags set.	disable
tcp-flag-SR	TCP packet with SYN and RST flags set.	disable
arp-mac-mismatch	ARP packet with MAC source address mismatch between the MAC header and the ARP packet payload.	disable
macsa-eq-macda	Packet with source MAC address equal to the destination MAC address.	disable
sip-eq-dip	TCP packet with source IP address equal to the destination IP address.	disable
tcp-port-eq	TCP packet with the same source and destination TCP port.	disable
udp-port-eq	IP packet with the same source and destination UDP port.	disable
ip-pod	The IPv4/IPv6 packet length is larger than 64 kB.	disable
icmp-frag	Fragmented ICMP packet.	disable
tcp-frag-off-min	TCP non-initial fragments carry the TCP header.	disable
tcp-syn-sp-less-1024	TCP SYN packet with a source port less than 1024.	disable
invalid-ipv4-hdr-len	IPv4 packet with a header length greater than the total length. NOTE: This command is available only on the FS-124F, FS-124F-FPOE, FS-124F-POE, FS-148F, FS-148F-FPOE, and FS-148F-POE models.	disable
gratuitous-arp	Gratuitous ARP packet. NOTE: This command available only on the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-108F, FS-108F-FPOE, FS-108F-POE, FS-124E, FS-124E-FPOE, FS-124E-POE, FS-148E, and FS-148E-POE models.	disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

set allow-mcast-sa {enable | disable}

set allow-sa-mac-all-zero {enable | disable}

end

Variable	Description	Default
sip-eq-dip	TCP packet with the same source IP address and destination IP address.	disable
tcp-flag	DoS attack checking for TCP flags.	disable
tcp-port-eq	TCP packet with the same source and destination TCP port.	disable
tcp-flag-FUP	TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.	disable
tcp-flag-SF	TCP packet with SYN and FIN flags set.	disable
v4-first-frag	DoS attack checking for IPv4 first fragment.	disable
udp-port-eq	IP packet with the same source and destination UDP port.	disable
tcp-hdr-partial	TCP packet with partial header.	disable
macsa-eq-macda	Packet with the same source MAC address and destination MAC address.	disable
allow-mcast-sa	Ethernet packet whose source MAC address is multicast.	disable
allow-sa-mac-all-zero	Ethernet packet whose source MAC address is all zeros.	disable

Administration Guide

Configuring security checks

Configuring security checks

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)

Syntax (for FS-1xxE and FS-1xxF)

Syntax (for all other FortiSwitch models)

Configuring security checks

Syntax (for FS-108D-POE, FS-112D-POE, and FS-224D-POE)

Syntax (for FS-1xxE and FS-1xxF)

Syntax (for all other FortiSwitch models)