Created on
03-31-2016
09:09 PM
Edited on
12-01-2023
07:20 AM
By
Stephen_G
Description
Solution
- Configure the WAN1 interface to permit management protocols, including ping:
edit "wan1"
set ip 192.168.157.78 255.255.255.0
set allowaccess ping https ssh http telnet
- Create Firewall Address Objects for the IP that will be permitted and the WAN1 IP interface:
edit "PING-ALLOWED"
set associated-interface "wan1"
set subnet 192.168.157.80 255.255.255.255
next
edit "IP-WAN1"
set associated-interface "wan1"
set subnet 192.168.157.78 255.255.255.255
next
end
- Create the Firewall Local in Policies.
A local-in-policy is only possible to create via CLI. However, the local-in-policy feature can be enabled in feature visibility in the GUI, but only for viewing purposes: it cannot be edited.
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "PING-ALLOWED"
set dstaddr "IP-WAN1"
set action accept
set service "ALL_ICMP"
set schedule "always"
set auto-asic-offload disable
next
edit 10
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "ALL_ICMP"
set schedule "always"
set auto-asic-offload disable
set status enable
next
end
- Run sniffer packet filter HOST 192.168.157.80 and ICMP
diag sniffer packet WAN1 'host 192.168.157.80 and icmp' 4
interfaces=[any]
filters=[host 192.168.157.80 and icmp]
17.815713 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
17.815858 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
18.822895 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
18.822955 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
19.831082 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
19.831150 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
48.692297 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
48.692368 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
- Run a sniffer packet for any ICMP packet on interface WAN1. Confirm that no ICMP replies are sent by the FortiGate
diag sniffer packet any 'icmp' 4
interfaces=[any]
filters=[icmp]
17.806037 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request
20.586094 wan1 in 208.91.112.53 -> 192.168.157.77: icmp: 208.91.112.53 udp port 53 unreachable
22.353097 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request