FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192778

Under some conditions, issues in delivery of IP packets to their destination can occur. ICMP error messages are used to feedback the source with the origin of the problem encountered.

This article explains the FortiGate system behavior with regards to various ICMP message types.


The general behavior of the FortiGate firewall policy is the following :

  • The ICMP messages with type ICMP_ECHO, ICMP_TIMESTAMP, ICMP_INFO_REQUEST, and ICMP_ADDRESS will require a firewall policy that allows them to be routed or forwarded (or blocked) by the FortiGate unit. If allowed, those packets will generate a new session.
    The reply message for these ICMP informational messages can only pass through the FortiGate unit, if a corresponding session is found. Otherwise, the packets are dropped.

  • For ICMP error messages, there is an implicit processing, where only those reporting an error for an existing session can pass through the firewall. Otherwise, the packets are dropped. Common error messages could be:
    • Destination Unreachable Messages
    • Time Exceeded Messages
    • Redirect Messages

    Below are some examples, based on the following scenario, which shows that the FortiGate unit in NAT mode, which allows ICMP Destination Unreachable Messages back to the source device:

          .10                  .106         .106             .110
    [ PC1 ] ------ internal---- [ FortiGate ] ---- wan1----- [ Router1 ]
    [ PC2 ]


    The FortiGate unit has got only one firewall policy allowing TFTP from internal to wan1 :

    FGT# show firewall policy
    config firewall policy
        edit 1
            set srcintf "internal"
            set dstintf "wan1"
                set srcaddr "all"
                set dstaddr "all"
            set action accept
            set schedule "always"
                set service "TFTP"

    • Scenario 1 : PC1 tries to open a TFTP session to PC2 where this UDP port is not opened. The sniffer trace below shows the ICMP port unreachable message sent back to the source through the FortiGate unit.
     FGT # diagnose sniffer packet  any "host or icmp" 4

    3.677808 internal in -> udp 20

    3.677960 wan1 out -> udp 20
    3.678465 wan1 in -> icmp: udp port 69 unreachable
    3.678519 internal out -> icmp: udp port 69 unreachable 

    • Scenario 2 : PC1 tries to reach a destination that is not reachable after Router1. The sniffer trace below shows the ICMP network unreachable message sent back to the source through the FortiGate unit.
    FGT # diagnose sniffer packet  any "host or icmp or port 69" 4

    2.234765 internal in -> udp 20
    2.234908 wan1 out -> udp 20
    2.235164 wan1 in -> icmp: net unreachable
    2.235208 internal out -> icmp: net unreachable