NSE4
Basics for NSE4 - FortiOS 7.6 Administrator
Routing
RPF - Reverse Path Forwarding
Anti IP Spoofing.
✅ Strict RPF (uRPF strict) A packet is allowed only if the best (longest‑match / preferred) route back to the source IP would exit the same interface the packet arrived on.
Think: “Would I send the reply back out the same interface?” If no → drop.
✅ Loose RPF (uRPF loose) A packet is allowed if the firewall/router has any route at all to the source IP (regardless of interface). It’s basically a route existence check.
Think: “Do I have some route to that source?” If yes → allow.
RPF Example
Topology (classic multi-homed/asymmetric routing)
ISP-A (WAN1) -----------------
| \
| (best route to source) \ Internet
+---+---+ \
| Forti | \
| Gate | \
+---+---+ \
| \
ISP-B (WAN2) ------------------------(packet arrives here)
Routing table on FortiGate (simplified) 203.0.113.0/24 via WAN1 ← best/preferred route default route(s), etc.
Traffic event A packet arrives on WAN2:
Src = 203.0.113.5 Dst = your public VIP / service Ingress interface = WAN2
RPF decision Strict RPF:
Look up route to 203.0.113.5 Best route says: send to WAN1 But packet came in WAN2 Mismatch → DROP
Loose RPF:
Look up route to 203.0.113.5 A route exists (via WAN1) Loose mode does not care that it arrived on WAN2 Route exists → ALLOW
FSSO - Fortinet Single Sign On
FSSO is about mapping an IP address → a user (and groups) so FortiGate can apply identity-based policies without prompting users to log in again.
When a user logs in, FSSO typically collects: username, domain, workstation, IP address, and group membership, and forwards it to FortiGate/FortiManager