Description
This article describes how to allow the ping service from only one IP. Sometimes it is necessary to allow the ping service on the Interface, but this can open up potential security vulnerabilities, which is not desirable, especially for WAN interfaces that connect to the Internet.
Scope
FortiGate.
Solution
Below is a configuration example to permit pings from IP 192.168.157.80 and to block pings from any other source.
- Configure the WAN1 interface to permit management protocols, including ping:
config system interface
edit "port3"
set ip 192.168.157.78 255.255.255.0
set allowaccess ping https ssh http telnet
edit "port3"
set ip 192.168.157.78 255.255.255.0
set allowaccess ping https ssh http telnet
end
- Create Firewall Address Objects for the IP that will be permitted and the WAN1 IP interface:
config firewall address
edit "PING-ALLOWED"
set associated-interface "port3"
set subnet 192.168.157.80 255.255.255.255
next
edit "IP-WAN1"
set associated-interface "port3"
set subnet 192.168.157.78 255.255.255.255
next
end
edit "PING-ALLOWED"
set associated-interface "port3"
set subnet 192.168.157.80 255.255.255.255
next
edit "IP-WAN1"
set associated-interface "port3"
set subnet 192.168.157.78 255.255.255.255
next
end
Alternatively, configure this in the GUI as follows:
- Create the Firewall Local in Policies. A local-in-policy is only possible to create via CLI. However, the local-in-policy feature can be enabled under System -> Feature visibility -> Additional features column in the GUI, but only before FortiGate / FortiOS v7.6.0 can only be viewed for viewing purposes, and cannot be edited after FortiGate / FortiOS v7.6. can be created/edited on the GUI.
config firewall local-in-policy
edit 1
set intf "port3"
set srcaddr "PING-ALLOWED"
set dstaddr "IP-WAN1"
set action accept
set service "ALL_ICMP"
set schedule "always"
next
edit 10
set intf "port3"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "ALL_ICMP"
set schedule "always"
next
end
Configure this in the CLI as follows:
Alternatively, a single local-in policy rule can also be created by using the 'Negate' option, and will perform the same task.
Here is the configuration when using srcaddr-negate enable option.
config firewall local-in-policy
edit 0
set intf "port3"
set srcaddr "PING-ALLOWED"
set srcaddr-negate enable <----- This command will negate the rule and will block all addresses except those defined in the 'srcaddr' field
set dstaddr "all"
set action deny
set service "ALL_ICMP"
set schedule "always"
set status enable
next
end
- Run sniffer packet filter HOST 192.168.157.80 and ICMP:
diagnose sniffer packet any 'host 192.168.157.80 and icmp' 4
interfaces=[any]
filters=[host 192.168.157.80 and icmp]
17.815713 port3 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
17.815858 port3 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
18.822895 port3 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
18.822955 port3 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
19.831082 port3 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
19.831150 port3 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
48.692297 port3 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
48.692368 port3 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
- Run a sniffer packet for any ICMP packet on interface WAN1. Confirm that no ICMP replies are sent by the FortiGate:
diagnose sniffer packet any 'icmp' 4
interfaces=[any]
filters=[icmp]
17.806037 port3 in 192.168.157.207 -> 192.168.157.77: icmp: echo request
20.586094 port3 in 208.91.112.53 -> 192.168.157.77: icmp: 208.91.112.53 udp port 53 unreachable
22.353097 port3 in 192.168.157.207 -> 192.168.157.77: icmp: echo request
Related document:
