Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports
Go to WiFi & Switch Controller> FortiSwitch Ports. Right-click any port and then enable or disable the following features:
- DHCP blocking—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
- IGMP snooping—IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
- Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
- Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
- STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
- STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.
STP is enabled on all ports by default. Loop guard is disabled by default on all ports.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Nice! Awesome that those features are implemented with FortiLink now, but I wish they would implement DHCPv6 blocking and MLD-snooping as well. Seems a bit silly to implement new features without IPv6 support now in 2018.
Everyone is still slow rolling IPv6. Not enough people understand how it works.
Sure, but without even the basic functionality of first-hop security (like DHCPv6 snooping) it’s not helping with IPv6 deployments. Vendors should take a bigger responsibility when it comes to functionality like that. It also annoys me that FortiGates doesn’t run DHCPv6 client from factory, only IPv4 are enabled by default. Even the average home Asus router runs DHCPv6 client by default now, but enterprise products lags behind.
Also keep in mind that even though you don’t “activate” IPv6 in your network, all your clients requests IPv6 addresses so it is very easy to hijack traffic (even IPv4 traffic!) using DHCPv6 and NAT64+DNS64. The only ways to avoid that is 1) disable IPv6 on all the clients 2) DHCPv6-snooping 3) Isolate all ports within a VLAN from each other.
IPv6 is a huge potential attack vector, but most people think they are safe if they just doesn’t enable it and that worries me.