Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Staff
Staff

Created on ‎03-03-2010 06:44 AM

Article Id 195339

Technical Note : ICMP and UDP traceroute functionality with the FortiGate

Description

This article provides background on ICMP and UDP traceroute functionality in the FortiGate and explains why the FortiGate cannot be tracerouted from a Cisco router or a Linux Operating System.


Scope

All FortiGate Users


Solution
The FortiGate is designed not to allow UDP packets in the local-in policy. UDP packets destined for the interface of the FortiGate are dropped when a standard UDP-based traceroute is performed.

Hence, it is possible to traceroute to the FortiGate from a Windows PC but not from a Linux machine or a from a Cisco Router. Both Linux and Cisco are using ICMP based traceroute.

ICMP must be used for a FortiGate to reply to a traceroute request. In Linux the "traceroute -I" command should be used to enable ICMP-based traceroute. ICMP local service should also be enabled on the FortiGate interface:
config system interface
edit "mgmt1"
set vdom "InternetNAT"
set ip 192.168.182.155 255.255.254.0
set allowaccess ping https ssh snmp http telnet
set type physical
set alias "Test purpose Management"
next
end


Labels:
16776
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.