Skip to main content
fionaC
fionaC
Explorer
April 8, 2025
Question

Disabling ICMP Timestamp Replies from FortiAP on LAN

  • April 8, 2025
  • 2 replies
  • 1389 views

Does anyone know how to disable ICMP timestamp replies from FortiAPs? My FortiAPs are connected to my LAN, and I have Fortiswitches. Polices do not seem to work - my guess is because the traffic is being routed by the switches and not going through the firewall? 

2 replies

AEK
SuperUser
AEK
SuperUser
April 9, 2025

If I'm not wrong the an ICMP timestamp reply is a response to an ICMP timestamp request, right?

In that case then you just need to add a firewall rule to deny ICMP requests from the desired source to the FortiAPs.

This is because I don't know a way to allow ICMP requests and in the same time to deny ICMP replies. As far as I know this is how stateful firewalls are designed.

AEK
    fionaC
    fionaCAuthor
    Explorer
    April 9, 2025

    For some reason, that does not work. I am wondering if it is because the APs and the host are on the same LAN, and therefore the traffic is not routed through the Fortigate.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 9, 2025

    It wouldn't go through the FGT. It's directly sent to AP by MAC address found in ARP.

    Toshi

      AEK
      SuperUser
      AEK
      SuperUser
      April 9, 2025

      Then I guess it is possible just by disabling the ping on the related SSID interface.

      AEK
      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      April 9, 2025

      I think it's about FAP's management interface, not SSIDs.

      Toshi

        Terms & ConditionsAccessibility statement