Generalized TTL Security Mechanism (GTSM), defined in RFC 5082, prevents attacks based on forged protocol packets sent from outside the network.

In IP packets, the TTL (time-to-live) value sets the maximum number of routers the packet can pass through to reach its destination. Each router decrements the TTL value and the packet is discarded if TTL reaches zero before the packet reaches its destination. In IPv6, TTL is called Hop Limit.

Most protocol-related packets pass between adjacent routers, so the TTL value at the destination is within a predictable range. TTL is difficult to spoof, especially the value of 255 which occurs if the sender is directly connected to the destination router.

On the FortiGate firewall, you can define TTL policies that specify the acceptable TTL range for a particular packet source, destination and service. You do this using the new config firewall ttl-policy command.

Use the following command to add a TTL policy that sets the TTL range to from 20 to 30: