Skip to main content
BrianPro
BrianPro
New Member
June 23, 2011
Question

Block TCP Timestamp requests with fw policy (no IDS)

  • June 23, 2011
  • 6 replies
  • 8969 views
I am trying to block TCP timestamp requests from external hosts to our web servers. I have added a policy like below which currently works, but I' d like to remove ICMP_ANY in order to only respond to ping requests but *not* TCP timestamps. When I remove ICMP_ANY, I can no longer ping the server from external host (from WAN/Internet). Does anyone know the correct way to set this up? I am running 4.2.7 on a 200B. My current policy WAN -> DMZ: Source / Destination / Schedule / Service / Action -------------------------------------------------------------- all / mywebserver / always / ICMP-Echo, ICMP-Echo-Reply, ICMP_ANY / ACCEPT When I remove ICMP_ANY from the above policy - I can no longer ping. Definitions of the custom ICMP-Echo and ICMP-Echo-Reply services in the above policy: ICMP-Echo Service definition: -------------------------------------- Protocol type: ICMP Type: 8 Code: 0 ICMP-Echo-Reply Service definition: -------------------------------------- Protocol type: ICMP Type: 0 Code: 0 I need to do this without using IDS due to PCI scans (scanners want your to disable IDS when they scan) :( Hopefully it is possible. Any guidance would be appreciated.

    6 replies

    ejhardin
    ejhardin
    New Member
    June 23, 2011
    I would try adding... Time Exceeded ----------------------- Protocol type: ICMP Type: 11 Code: 0
    BrianPro
    BrianProAuthor
    New Member
    June 23, 2011
    Thanks. Mmm - tried that and still no go. :(
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 24, 2011
    Any reason why you don' t use the built-in ' PING' service? Would that work and disallow TCP timestamps at the same time?
    BrianPro
    BrianProAuthor
    New Member
    June 24, 2011
    No reason at all. :) I wasn' t aware of it. Thanks, I' ll check that one out. My VAR set this up originally and couldn' t get it to work. I was trying to see if I could figure out. According to this http://docs.fortinet.com/fgt/handbook/40mr2/fortigate-admin-40-mr2.pdf the PING service is ICMP 8 (Echo reply type 8 code 0). This may do the trick and no need to create a custom service! Thanks Ede. I' ll report back after my scan to confirm.
    BrianPro
    BrianProAuthor
    New Member
    July 11, 2011
    Figured I would report back. We recently had our scan and it looks like this change did not block TCP Timestamp requests as hoped. I' ll continue to research this and see if I can figure anything out. If anyone else has ideas I' d appreciate it. Maybe Fortinet support can offer some guidance?
    emnoc
    emnoc
    New Member
    July 17, 2011
    A few quick suggestions; If the servers are unix as in linux, you can disable this within the kernel tunning via stlctl e.g net.ipv4.tcp_timestamps = 0 I bet you could also write a custom signature and deploy it as a IPS rule. Just a few thoughts
    Terms & ConditionsAccessibility statement