commit 6d82a5

Commit `6d82a5`

2026-04-03 16:39:55 Peter: d

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9

`/dev/null` .. `fortinet/nse4.md`
@@ 0,0 1,73 @@
+	# NSE4
+	Basics for NSE4
+
+	### Routing
+	#### RPF
+	--- Reverse Path Forwarding ---
+
+	Anti IP Spoofing.
+
+	✅ Strict RPF (uRPF strict)
+	A packet is allowed only if the best (longest‑match / preferred) route back to the source IP would exit the same interface the packet arrived on.
+
+	Think: “Would I send the reply back out the same interface?”
+	If no → drop.
+
+	✅ Loose RPF (uRPF loose)
+	A packet is allowed if the firewall/router has any route at all to the source IP (regardless of interface). It’s basically a route existence check.
+
+	Think: “Do I have some route to that source?”
+	If yes → allow.
+
+	##### RPF Example
+
+	Topology (classic multi-homed/asymmetric routing)
+	ISP-A (WAN1) -----------------
+	\| \
+	\| (best route to source) \ Internet
+	+---+---+ \
+	\| Forti \| \
+	\| Gate \| \
+	+---+---+ \
+	\| \
+	ISP-B (WAN2) ------------------------(packet arrives here)
+
+	Routing table on FortiGate (simplified)
+	203.0.113.0/24 via WAN1 ← best/preferred route
+	default route(s), etc.
+
+	Traffic event
+	A packet arrives on WAN2:
+
+	Src = 203.0.113.5
+	Dst = your public VIP / service
+	Ingress interface = WAN2
+
+	RPF decision
+	Strict RPF:
+
+	Look up route to 203.0.113.5
+	Best route says: send to WAN1
+	But packet came in WAN2
+	Mismatch → DROP
+
+	Loose RPF:
+
+	Look up route to 203.0.113.5
+	A route exists (via WAN1)
+	Loose mode does not care that it arrived on WAN2
+	Route exists → ALLOW
+
+	### FSSO
+
+	### Security Profiles
+
+	#### Anti Virus
+
+	#### Web Filter
+
+	#### IPS
+
+	#### Application Control
+
+	### Certificates

Commit 6d82a5

Commit `6d82a5`