UCF STIG Viewer Logo

The FortiGate firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).


Overview

Finding ID Version Rule ID IA Controls Severity
V-234157 FNFG-FW-000145 SV-234157r611471_rule Medium
Description
A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers using malware to attack other computers or networks. Denial-of-Service (DoS) attacks frequently leverage IP source address spoofing to send packets to multiple hosts that, in turn, send return traffic to the hosts with the forged IP addresses. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet, thereby mitigating IP source address spoofing.
STIG Date
Fortinet FortiGate Firewall Security Technical Implementation Guide 2022-09-12

Details

Check Text ( C-37342r611469_chk )
The FortiGate has RPF enabled by default, but it can be disabled for IPv4, IPv4 ICMP, IPv6, and IPv6-ICMP with the "set asymroute enable" commands. Log in to the FortiGate CLI with Super-Admin privilege, and then run the command:
# get system settings | grep asymroute

Unless this device is intentionally setup for asymmetric routing, if any of the settings are set to "enable" this is a finding.
Fix Text (F-37307r611470_fix)
This fix can be performed via the CLI of the FortiGate.

1. Open a CLI console via SSH or from the GUI.
2. Run the following commands:
# config system settings
# set asymroute disable
# set asymroute-icmp disable
# set asymroute6 disable
# set asymroute6-icmp disable
# end