Technical Tip: Configure ICMP error message verification
Description
In a strict environment it is necessary to enable the ICMP error message check to have more secure traffic flow.
This article describes how to configure this feature.
Solution
Enable ICMP error message verification to ensure an attacker cannot send an invalid ICMP error message.
- strict: Enable ICMP error message checking.
If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session.
If the sequence number is not in range then the ICMP packet is dropped.
Strict checking also affects how the anti-replay option checks packets.
In a strict environment it is necessary to enable the ICMP error message check to have more secure traffic flow.
This article describes how to configure this feature.
Solution
Enable ICMP error message verification to ensure an attacker cannot send an invalid ICMP error message.
# config system global- disable: The FortiGate unit does not validate ICMP error messages.
check-reset-range {disable | strict}
end
- strict: Enable ICMP error message checking.
If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session.
If the sequence number is not in range then the ICMP packet is dropped.
Strict checking also affects how the anti-replay option checks packets.