Technical Tip: Block ICMP timestamp on FortiGate interface while keeping ping enabled

ppatel · ‎01-25-2022

Description

This article describes Block ICMP timestamp on Fortigate interface while keeping ping enabled.

The ICMP timestamp response from Fortigate contains device's date and time. This information could be used as a vulnerability with high visibility.

To block ICMP timestamp request on wan1 interface IP, follow the below steps:

config system interface

edit "wan1"

set vdom "root"

set ip 1.1.1.1 255.255.255.0

set allowaccess ping

set type physical

set snmp-index 1

Scope

FortiGate.

Solution

Create a firewall service for ICMP type 13 (timestamp request):

config firewall service custom

edit "TIMESTAMP"

set protocol ICMP

set icmptype 13

Create address entry for wan1 interface IP:

config firewall address

edit "wan1-IP"

set subnet 1.1.1.1 255.255.255.255

Create local-in-policy to block timestamp requests on wan1 interface IP:

config firewall local-in-policy

edit 1

set intf "wan1"

set srcaddr "all"

set dstaddr "wan1-IP"

set service "TIMESTAMP"

set schedule "always"

set action deny

Note that for the HA reserved management interface, need to add a dedicated command for the HA management interface. Refer to the guide below to configure the local-in policy for the dedicated reserved management interface: Technical Tip: How to configure a local-in policy on a HA reserved management interface

Testing the Policy Is Working:

In order to test the local-in policy is working as expected, use a tool such as hping3 to generate test traffic.

https://linux.die.net/man/8/hping3

Example command:

sudo hping3 1.2.3.4 --icmp --icmp-ts <- icmp-ts flag creates the type 13 Traffic.

Verify the local-in policy exists and note the policy index number:

diag firewall iprope list 100001

policy index=1 uuid_idx=16080 action=drop
flag (8010001): log master pol_stats
schedule(always)
cos_fwd=0 cos_rev=0
group=00100001 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 3 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15741,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15741,
service(1):
[1:0x0:0/(0,65535)->(13,13)] flags:0 helper:auto

diag firewall iprope show 100001 1 <- The final 1 of this line is the policy index number.
idx:1
pkts:0 (0 0 0 0 0 0 0 0)
bytes:0 (0 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0

Example Output of hping3 test:

Without local-in policy:

$ sudo hping3 1.2.3.4 --icmp --icmp-ts
using eth0, addr: 10.10.10.10, MTU: 1500
HPING 1.2.3.4 (eth0 1.2.3.4): icmp mode set, 28 headers + 0 data bytes
len=46 ip=1.2.3.4 ttl=246 id=65378 tos=0 iplen=40
icmp_seq=0 rtt=18.7 ms
ICMP timestamp: Originate=41865392 Receive=41865390 Transmit=41865390
ICMP timestamp RTT tsrtt=20

With local-in policy enabled:

$ sudo hping3 1.2.3.4 --icmp --icmp-ts
using eth0, addr: 10.10.10.10, MTU: 1500
HPING 1.2.3.4 (eth0 1.2.3.4): icmp mode set, 28 headers + 0 data bytes
^C
--- 1.2.3.4 hping statistic ---
19 packets transmitted, 0 packets received, 100% packet loss <- 19 packets transmitted - all blocked.

Check Traffic Statistics:

diag firewall iprope show 100001 1
idx:1
pkts:19 (19 0 0 0 0 0 0 0) <- 19 packets matching the block policy.
bytes:760 (760 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:19 (19 0 0 0 0 0 0 0)
first hit:2024-10-29 12:39:07 last hit:2024-10-29 12:39:25