| Description |
This article describes the case where it is required to block ICMP requests originating from Firewall to specific destinations/geolocations, FortiGate administrator can use interface-policy along with custom-IPS signature.
This article describes how to configure FortiGate to block ICMP requests towards 8.8.8.8. |
| Scope | All FortiGate versions. |
| Solution |
1) Configuring IPS signatures to match ICMP requests:
# config ips custom edit "ICMP-Block-custom" set signature "F-SBID( --attack_id 1234; --name ICMP-Block- custom; --protocol ICMP; --flow from_client; )" set action block set comment '' next end
2) Configuring IPS sensor (rule numbers under 'set rule' are equal to attack_id from above):
# config ips sensor edit "Block-ICMP-Out" # config entries edit 1 set rule 1234 set status enable set log-packet enable set action block next end next end
3) Create address entry for destination IP:
# config firewall address edit "8.8.8.8" set subnet 8.8.8.8 255.255.255.255 next end
4) Configuring interface-policy and applying policy to FortiGate's outgoing interface:
# config firewall interface-policy edit 1 set interface "OutSide" set srcaddr "all" set dstaddr "8.8.8.8" set service "ALL_ICMP" set ips-sensor-status enable set ips-sensor "Block-ICMP-Out" next end
Verification:
Before applying firewall interface-policy:
# execute ping 8.8.8.8 --- 8.8.8.8 ping statistics ---
After applying the firewall interface-policy:
# execute ping 8.8.8.8 --- 8.8.8.8 ping statistics ---
GUI verification: Log & Report -> Intrusion Prevention:
 |
