Fortinet white logo
Fortinet white logo

FortiLink Guide

Configuring IPv4 source guard

Configuring IPv4 source guard

IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.

IPv4 source guard allows traffic from the following sources:

  • Static entries—IP addresses that have been manually associated with MAC addresses.
  • Dynamic entries—IP addresses that have been learned through DHCP snooping.

By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.

If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.

IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard.

Note

Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support this feature.

Configuring IPv4 source guard consists of the following steps:

  1. Enabling IPv4 source guard
  2. Creating static entries
  3. Checking the IPv4 source-guard entries

Enabling IPv4 source guard

You must enable IPv4 source guard in the FortiOS CLI before you can configure it.

To enable IPv4 source guard:

config switch-controller managed-switch

edit <FortiSwitch_serial_number

config ports

edit <port_name>

set ip-source-guard enable

next

end

end

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ports

edit port20

set ip-source-guard enable

next

end

end

Creating static entries

After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports.

To create static entries:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

next

end

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

next

end

next

end

next

end

Checking the IPv4 source-guard entries

After you configure IPv4 source guard , you can check the entries.

Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.

Use this command in the FortiOS CLI to display all IP source-guard entries:

diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>

Configuring IPv4 source guard

Configuring IPv4 source guard

IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.

IPv4 source guard allows traffic from the following sources:

  • Static entries—IP addresses that have been manually associated with MAC addresses.
  • Dynamic entries—IP addresses that have been learned through DHCP snooping.

By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.

If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.

IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard.

Note

Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support this feature.

Configuring IPv4 source guard consists of the following steps:

  1. Enabling IPv4 source guard
  2. Creating static entries
  3. Checking the IPv4 source-guard entries

Enabling IPv4 source guard

You must enable IPv4 source guard in the FortiOS CLI before you can configure it.

To enable IPv4 source guard:

config switch-controller managed-switch

edit <FortiSwitch_serial_number

config ports

edit <port_name>

set ip-source-guard enable

next

end

end

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ports

edit port20

set ip-source-guard enable

next

end

end

Creating static entries

After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports.

To create static entries:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

next

end

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

next

end

next

end

next

end

Checking the IPv4 source-guard entries

After you configure IPv4 source guard , you can check the entries.

Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.

Use this command in the FortiOS CLI to display all IP source-guard entries:

diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>