Technical Tip: Block ICMP request originated from the firewall
| Description | This article describes the case where it is required to block ICMP requests originating from the Firewall to specific destinations/geolocations. A FortiGate administrator can use interface-policy along with a custom-IPS signature.
This article describes how to configure FortiGate to block ICMP requests towards 8.8.8.8. |
| Scope | All FortiGate versions. |
| Solution |
config ips custom edit "ICMP-Block-custom" set signature "F-SBID( --attack_id 1234; --name ICMP-Block- custom; --protocol ICMP; --flow from_client; )" set action block set comment '' next end
config ips sensor edit "Block-ICMP-Out" config entries edit 1 set rule 1234 set status enable set log-packet enable set action block next end next end
config firewall address edit "8.8.8.8" set subnet 8.8.8.8 255.255.255.255 next end
config firewall interface-policy edit 1 set interface "OutSide" set srcaddr "all" set dstaddr "8.8.8.8" set service "ALL_ICMP" set ips-sensor-status enable set ips-sensor "Block-ICMP-Out" next end
Verification:
Before applying firewall interface-policy:
execute ping 8.8.8.8 --- 8.8.8.8 ping statistics ---
After applying the firewall interface-policy:
execute ping 8.8.8.8 --- 8.8.8.8 ping statistics ---
GUI verification: Log & Report -> Intrusion Prevention:
Note: ICMP timestamps can also be blocked using the 'local-in policy' if it is destined to the FortiGate interface. For detailed steps, refer to this KB Article: Technical Tip: Block ICMP timestamp on FortiGate interface while keeping ping |
