An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?
A.
Enable asymmetric routing, so the RPF check will be bypassed.
B.
Disable the RPF check at the FortiGate interface level for the source check.
C.
Disable the RPF check at the FortiGate interface level for the reply check.
D.
Enable asymmetric routing at the interface level.
"B" is the answer be careful question are very tricky. RPF methods in NSE guide says: Two ways to disable RFP. 1 Enable asymetric routing, which disables RPF checking system wide (but not at interface level is through the CLI command config system settings) 2 Disable RPF checkking at the interface level (the only way at the interface level in the CLI command). A incorrect. If you enable asymetric routing, RPF not will be bypass because is disable. B Correct. You have to disable the RPF check an the interface level, for the source. C Is incorrect is for the source D is incorrect: Asymetric routing is not enable at interface level.
RPF checking can be disabled in tho ways. If you enable asymmetric routing, it will disable RPF checking system wide. However this reduces the security of you network greatly. Features such us ANTIVIRUS, and IPS become non-effective. So, if you need to disable RPF checking, you can do so at the interface level using the command:
config system interface
edit <interface>
set src-check [enable | disable]
end
So the correct answer is B. No more debates.
RPF is a mechanism that protects FortiGate and the network from IP spoofing attacks.
By default, RPF is enabled on all interfaces.
Disable it by enabling asymmetric route on the specific VDOM but if the requirement is only for specific interface.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF-per/ta-p/193338
This is not correct, as following 'D' would prevent A/V and IPS from working. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/58863/asymmetric-routing
"D" is the answer, By default, RPF is enabled on all interfaces.
Disable it by enabling asymmetric route on the specific VDOM but if the requirement is only for specific interface.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF-per/ta-p/193338
This is not correct, as following 'D' would prevent A/V and IPS from working. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/58863/asymmetric-routing
The article in the link you shared says the answer is B , it tells you that if you want to disable on haul VDOM use symitric route thing "But" if need on interface only use the following command to achieve it
# config system interface
edit <interface>
set src-check disable
end
this command from the link you shared recommened disabling RPF on interface.
Answer is B
This is not correct, as following 'D' would prevent A/V and IPS from working. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/58863/asymmetric-routing
B. Period!
FG Infrast 7.0 SG page 38
You can disable RPF checking in two ways. If you enable asymmetric routing, it disables RPF checking system wide. However this reduces the security of your network. Features, such as antivirus and IPS become noneffective. So, if you need to disable RPF checking, you can do so at the interface level using the commands: set src-check [ enable | disable ] at system interface level.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
davidone
Highly Voted 4 years agoDjohan23
Highly Voted 3 years, 12 months agoNicolaeEast
Most Recent 2 years, 8 months agoSandroAlex
3 years, 1 month agoJoseVillarroel
3 years, 1 month agoJoalmici
3 years, 2 months agocrashmurphy
2 years, 8 months agoJoalmici
3 years, 2 months agocrashmurphy
2 years, 8 months agoMikeSch
3 years, 3 months agoMrSaintz
3 years, 4 months agojcarlosBO
3 years, 4 months agoEhab99
3 years, 1 month agocrashmurphy
2 years, 8 months agoBIGRAOU
3 years, 4 months agoblabla4
3 years, 4 months agoblabla4
3 years, 4 months agoRman0059
3 years, 4 months agolulipeoliveira
3 years, 7 months agoCunawaro
3 years, 8 months agomouna23
3 years, 10 months agoonaicul
3 years, 10 months ago