Skip to main content
sleepingzzz
sleepingzzz
Explorer
April 15, 2025
Question

Block ICMP Timestamp

  • April 15, 2025
  • 3 replies
  • 2677 views

Hi. I want to check if I allow all PING type in FortiGate interface administrative access but deny ICMP Timestamp in firewall policy, will ICMP Timestamp traffic still be allow?

3 replies

sleepingzzz
sleepingzzzAuthor
Explorer
April 15, 2025

Hi @sjoshi ,

But can I know if I deny ICMP Timestamp in firewall policy, will it take precedence over the interface administrative access? This is because I have a lot of interfaces configured, if I were to block ICMP Timestamp on every interfaces, it will require a lot of effort to do it. If I can just add firewall policy to block ICMP Timestamp, it will save a lot of time. Thanks

sjoshi
Staff
sjoshi
Staff
April 16, 2025

Hi,

 

Setting up firewall policy will not help you as the traffic coming to the FGT interface wont be checked by firewall policy.

You can either setup local in policy as per below article and select the src interface as those interface where you want to disable it.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-ICMP-timestamp-on-FortiGate-interface-while/ta-p/203643

Thanks, Salon
    sleepingzzz
    sleepingzzzAuthor
    Explorer
    April 17, 2025

    Hi @sjoshi,

    If i use the method describe in the below article, will it block ICMP Timestamp reply and request on FortiGate interface even when I allow PING on interface administrative access?

     

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-ICMP-timestamp-and-replies-for/ta-p/362523

     

     

    sjoshi
    Staff
    sjoshi
    Staff
    April 17, 2025

    You need to follow below article and block it using local in policy

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-ICMP-timestamp-on-FortiGate-interface-while/ta-p/203643

     

    The article you mention if for pass through traffic but in you case FGT is th destination which is to the box traffic.

    Yes it will block icmp timestamp even though ping is allowed on interface

    Thanks, Salon
      Terms & ConditionsAccessibility statement