Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
srajeswaran
Staff
Staff

Created on ‎11-14-2022 02:37 AM Edited on ‎11-14-2022 02:45 AM By Moderator

Article Id 229762

Technical Tip: Block ICMP request originated from the firewall

Description

This article describes the case where it is required to block ICMP requests originating from Firewall to specific destinations/geolocations, FortiGate administrator can use interface-policy along with custom-IPS signature.

 

This article describes how to configure FortiGate to block ICMP requests towards 8.8.8.8.
Scope All FortiGate versions.
Solution

1) Configuring IPS signatures to match ICMP requests:

 

# config ips custom

    edit "ICMP-Block-custom"

        set signature "F-SBID( --attack_id 1234; --name ICMP-Block-          custom; --protocol ICMP; --flow from_client; )"

        set action block

        set comment ''

    next

end

 

2) Configuring IPS sensor (rule numbers under 'set rule' are equal to attack_id from above):

 

# config ips sensor

    edit "Block-ICMP-Out"

        # config entries

            edit 1

                set rule 1234

                set status enable

                set log-packet enable

                set action block

            next

        end

    next

end

 

3) Create address entry for destination IP:

 

# config firewall address

    edit "8.8.8.8"

        set subnet 8.8.8.8 255.255.255.255

    next

end

 

4) Configuring interface-policy and applying policy to FortiGate's outgoing interface:

 

# config firewall interface-policy

    edit 1

        set interface "OutSide"

        set srcaddr "all"

        set dstaddr "8.8.8.8"

        set service "ALL_ICMP"

        set ips-sensor-status enable

        set ips-sensor "Block-ICMP-Out"

    next

end

 

Verification:

 

Before applying firewall interface-policy:

 

# execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=112 time=17.1 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=112 time=17.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=112 time=17.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=112 time=17.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=112 time=17.3 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 17.1/17.2/17.4 ms

 

After applying the firewall interface-policy:

 

# execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 

GUI verification:  Log & Report -> Intrusion Prevention:

 

srajeswaran_FTNT_0-1668412605116.png
4790
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.