Technical Tip: Hiding FortiGate interface IP in trace route result when in NAT mode

FortiGate.

1. Create a custom service for ICMP type 11 code 0.

config firewall service custom

    edit "ICMP_TYPE 11"

        set protocol ICMP

        set icmptype 11

        set icmpcode 0

    next

end

2. Create an IPS profile using the below-submitted signature.

F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )

src_addr of the signature to that, of FortiGate's IP.

3. Create a policy based on the interface as shown below:

config firewall interface-policy

    edit 1

        set interface xxx <----- xxx interface through which ICMP traffic is received.

        set srcaddr "all"

        set dstaddr yyyy <----- yyyy would be the IP of the concentrator.

       set service " ICMP_TYPE 11" <----- Custom icmp service created earlier.

       set ips-sensor-status enable

       set ips-sensor "default"  <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature.

Note:

It is possible to hide RFC1918 private ip address with below custom ips signature  'F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; src_addr 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16; --icmp_type 11; --icmp_code 0; )'