Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
kmak
Staff
Staff

Created on ‎07-01-2025 10:08 PM

Article Id 398841

Technical Tip: How to block ICMP Ping request on FortiADC Server Load Balance Virtual IP Address

Description This article describes how to block ICMP Ping requests on the FortiADC Server Load Balance Virtual IP Address.
Scope FortiADC.
Solution

FortiADC Server Load Balance (SLB) Virtual Server IP Address (VIP) accepts ICMP Ping requests and will be replying to the ICMP Ping.

There is no option in the SLB Virtual Server to disable or reject the ICMP Ping requests. If the SLB Virtual Server IP address is configured with direct Public IP address access and without an upstream firewall, a Network Security Firewall rule can be configured in the FortiADC to block the ICMP Ping requests.

 

  1. FortiADC Network Security Firewall Policy has the default action of 'Accept', in which, if no firewall rules are configured, the device system does not perform firewall processing.

 

kmak_0-1751272190828.jpeg

 

  1. Navigate to the FortiADC Server Load Balance Virtual Server Page. Take one of the virtual server IP addresses (VIP) as a sample to test on the ICMP Ping request.

 

kmak_1-1751272190836.jpeg

 

  1. Before creating the Network Firewall Policy rule, navigate to the 'Address' page under the 'Shared Resources' category. Create the address object, which contains the SLB Virtual Server IP address. The Address object will be referenced in the Network Firewall Policy rule.

 

kmak_2-1751272190839.jpeg

 

  1. In the FortiADC Network Firewall Policy page, create a new rule to block the ICMP traffic to the SLB Virtual Server IP address as the destination. Enable the 'Deny Log' temporarily to confirm that the Firewall Policy rule is effective.

 

kmak_3-1751272190842.jpeg

 

  1. Try to perform the ICMP Ping request test on the SLB Virtual Server IP address to confirm that the ICMP Ping request is blocked.

 

kmak_4-1751272190849.jpeg

 

  1. Check the FortiADC Security Firewall Log to confirm that the ICMP Ping requests are blocked by the Firewall Policy rule. Disable the 'Deny Log' in the Firewall Policy rule after the test to avoid overwhelming logs.

 

kmak_5-1751272190856.jpeg

 

  1. If there is a requirement to add specific source addresses to the allowlist of the ICMP Ping requests for monitoring purposes, create the new Firewall Policy rule again with the action as Accept. Make sure that the new rule is moved upwards so that the Firewall Policy rule matches the accepting rule first.

 

kmak_6-1751272190861.jpeg

 

  1. Test the ICMP Ping request from the allowed source host to confirm that the whitelisted host can receive the ICMP Ping replies.

 

kmak_7-1751272190869.jpeg

 

Related document:

Configuring an IPv4 firewall policy
174
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.