Ensure 'ip verify' is set to 'reverse-path' for untrusted interfaces

Information

Enables the unicast Reverse-Path Forwarding (uRPF) on untrusted interfaces.

Rationale:

The unicast Reverse-Path Forwarding(uRPF) enabled on an interface ensures that for a packet received on an interface, the security appliance checks the routing table to make sure that the same interface is used to get back to the source IP address. If it is not the case, the packet will be dropped. This should be enabled by default on untrusted interfaces in order to prevent attackers from spoofing internal IP addresses. For the other internal interfaces, the uRPF should be enabled if there is no case of asymmetric routing for which the path to send a packet to the source IP address is different of the path from which the packet is received.

Solution

RPF can be configured through Firepower Management Center:
Step 1 - Select Devices > Device Management and click the edit icon () for your FTD device. The Interfaces tab is selected by default.

Step 2 - Click the edit icon () for the interface you want to edit.

Step 3 - Click the Advanced tab, and then click the Security Configuration tab.

Step 4 - To enable Unicast Reverse Path Forwarding, check the Anti-Spoofing check box.

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: Cisco_Firepower

Control ID: 04ca2c3e7517d9fd5d8351f5b78b59518cd3bbd79c1acca74791b62caf18ac35