Disable unused protocols on interfaces
You can use the config system interface
command to disable unused protocols that attackers may attempt to use to gather information about a FortiGate unit. Many of these protocols are disabled by default. Using the config system interface
command you can see the current configuration of each of these options for the selected interface and then choose to disable them if required.
config system interface
edit <interface-name>
set dhcp-relay-service disable
set pptp-client disable
set arpforward disable
set broadcast-forward disable
set l2forward disable
set icmp-redirect disable
set vlanforward disable
set stpforward disable
set ident-accept disable
set ipmac disable
set netbios-forward disable
set security-mode none
set device-identification disable
set lldp-transmission disable
end
Option |
Description |
---|---|
|
Disable the DHCP relay service. |
|
Disable operating the interface as a PPTP client. |
|
Disable ARP forwarding. |
|
Disable forwarding broadcast packets. |
|
Disable layer 2 forwarding. |
|
Disable ICMP redirect. |
|
Disable VLAN forwarding. |
|
Disable STP forwarding. |
|
Disable authentication for this interface. The interface will not respond to a connection with an authentication prompt. |
|
Disable IP/MAC binding. |
|
Disable NETBIOS forwarding. |
|
Set to |
|
Disable device identification. |
|
Disable link layer discovery (LLDP). |