In which two ways can RPF checking be disabled? (Choose two.)
In which two ways can RPF checking be disabled? (Choose two.)
To disable RPF checking, you can either disable the RPF check at the FortiGate interface level for the source check or enable asymmetric routing. Disabling RPF checks at the interface level specifically involves configuring the interface to not perform source checks, which directly disables RPF for that interface. Enabling asymmetric routing globally disables RPF checking across the FortiGate system, though it may reduce network security.
explanation in comment
I think it's BD because disabling/enabling strict src check only change rpf mode to loose or strict not really disable rpf check.
"You can disable RPF checking in two ways. If you enable asymmetric routing, it disables RPF checking system wide. However this reduces the security of your network. Features, such as antivirus and IPS become noneffective. So, if you need to disable RPF checking, you can do so at the interface level using the commands shown on this slide (set asymroute enable & set src-check disable @ interface)
B & D are correct. Ref Fortigate Security 7.0 - P216
FortiGate_Infrastructure_7.0_Study_Guide-Online – page 39 enable asymmetric routing and disable checking at the interface level ...reduces security of your network
B, C are correct
C - D Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33955
B is correct, because to disable RPF at interface level you use: config system interface edit <interface> set src-check disable end In other words, one thing is strict-src-check at system level and there is src-check at interfase level.
B and D correct: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF-per/ta-p/193338 disable strict-src-check change the RPF mode to feasible path, but does not disable RPF
C and D asymetric routing enable" - trict-src-check disable" + adding a supernet route as "feasible patch"
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF-per/ta-p/193338
B and D about D. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-Reverse-Path-Forwarding-RPF-per/ta-p/193338 and between B and C take a look here : https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementation-and/ta-p/194382 C is not enough as you have to add a supernet route as "feasible patch" or + adding the same route as the best matching one (same subnet, same prefix, same distance) but having a higher priority value than the best match one. This will force the route to be injected in the routing table as a second choice.