Skip to main content
squid-c
squid-c
Explorer
March 24, 2024
Solved

Fortigate is not sending icmp redirects.

  • March 24, 2024
  • 1 reply
  • 1871 views

Fortigate is not sending icmp redirects.
"icmp-send-redirect" is setting enable.
I would like to be able to send ICMP redirects using the case 2 pattern.
If the PC is in the same segment as the FW,ICMP redirect responses are possible.
However, if there is a router between the PC and the FW and they are on different segments,
ICMP redirect responses will not be received.

 

Q
Aren't ICMP redirects sent to another segment?How does it work?


Case 1
In this case, the FW sent an ICMP redirect.

PCâ‘ ------[FWâ‘ ]------PCâ‘¡
   |
   ----[FW②]------PC③

setting
PC①:192.168.1.1/24
PC②:192.168.2.1/24
PC③:192.168.3.1/24

routing
PCâ‘ : Default gateway is FWâ‘ 
FWâ‘ : Setting static route "Gateway of destination PCâ‘¢ is FWâ‘¡"

 

Case 2
PCâ‘ ----[RTâ‘ ]------[FWâ‘ ]------PCâ‘¡
        |
        ----[FW②]------PC③
setting
PC①:192.168.1.1/24
PC②:192.168.2.1/24
PC③:192.168.3.1/24
RT①:Do not use NAT

routing
PCâ‘ : Default gateway is RTâ‘ 
FWâ‘ : Setting static route "Gateway of destination PCâ‘¢ is FWâ‘¡"
FWâ‘¡: Setting static route "Gateway of destination PCâ‘  is RTâ‘ "

 

Thanks

Best answer by Dhruvin_patel

Greetings,

 

You would like to use ICMP redirect to inform the host about the better next hop to reach a certain destination.

 

First of all, enable the following settings on the interface, 

 

# config system interface

   edit "interface_name"

      set icmp-accept-redirect enable

      set icmp-send-redirect enable

   next

 

Afterward, make sure that the ICMP redirect is allowed on the Layer-3 router.

 

Still it fails, capture the packet on a port using this document and verify that the FortiGate is responding, https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/194444 

 

Regards,

If you have found a solution, please like and accept it to make it easily accessible to others.

1 reply

Dhruvin_patel
Staff
Dhruvin_patelAnswer
Staff
March 24, 2024

Greetings,

 

You would like to use ICMP redirect to inform the host about the better next hop to reach a certain destination.

 

First of all, enable the following settings on the interface, 

 

# config system interface

   edit "interface_name"

      set icmp-accept-redirect enable

      set icmp-send-redirect enable

   next

 

Afterward, make sure that the ICMP redirect is allowed on the Layer-3 router.

 

Still it fails, capture the packet on a port using this document and verify that the FortiGate is responding, https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/194444 

 

Regards,

If you have found a solution, please like and accept it to make it easily accessible to others.

    Terms & ConditionsAccessibility statement