commit f483ea

Commit `f483ea`

2026-04-03 16:34:03 Peter: RPF

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9

`fortinet.md` ..
@@ 2,10 2,63 @@
	Knowledge about all things fortinet

	# Certifications
-	## Basics / NSE 4
+	## NSE4 - Basics
	What to know for NSE4 - Basics of fortinet

	### Routing
+	#### RPF
+	--- Reverse Path Forwarding ---
+
+	✅ Strict RPF (uRPF strict)
+	A packet is allowed only if the best (longest‑match / preferred) route back to the source IP would exit the same interface the packet arrived on. [rfc-editor.org],
+
+	Think: “Would I send the reply back out the same interface?”
+	If no → drop.
+
+	✅ Loose RPF (uRPF loose)
+	A packet is allowed if the firewall/router has any route at all to the source IP (regardless of interface). It’s basically a route existence check. [rfc-editor.org]
+
+	Think: “Do I have some route to that source?”
+	If yes → allow.
+
+	#### RPF Example
+
+	Topology (classic multi-homed/asymmetric routing)
+	ISP-A (WAN1) -----------------
+	\| \
+	\| (best route to source) \ Internet
+	+---+---+ \
+	\| Forti \| \
+	\| Gate \| \
+	+---+---+ \
+	\| \
+	ISP-B (WAN2) ------------------------(packet arrives here)
+
+	Routing table on FortiGate (simplified)
+	203.0.113.0/24 via WAN1 ← best/preferred route
+	default route(s), etc.
+
+	Traffic event
+	A packet arrives on WAN2:
+
+	Src = 203.0.113.5
+	Dst = your public VIP / service
+	Ingress interface = WAN2
+
+	RPF decision
+	Strict RPF:
+
+	Look up route to 203.0.113.5
+	Best route says: send to WAN1
+	But packet came in WAN2
+	Mismatch → DROP
+
+	Loose RPF:
+
+	Look up route to 203.0.113.5
+	A route exists (via WAN1)
+	Loose mode does not care that it arrived on WAN2
+	Route exists → ALLOW

	### FSSO

Commit f483ea

Commit `f483ea`