Description
This article describes how to configure FortiGate to filter ICMP type 3 messages (for the contextual sake we will block code 0, code 1, and code 3).
In case it is required to block ICMP Unreachable messages (Type3) due to security reasons (e.g. preventing BlackNurse attack) FortiGate administrator can use interface-policy to block ICMP type 3 messages.
Type 3 Code 0 - Destination Unreachable Network Unreachable
Type 3 Code 1 - Destination Unreachable Host Unreachable
Type 3 Code 3 - Destination Unreachable Port Unreachable
Type 3 Code 4 - Destination Unreachable Fragmentation Needed and Don't Fragment was Set
Scope
FortiGate.
Topology and Prerequisite:
- FGT1 and FGT2 allow communication between client network 192.168.11.0/24 and remote network 14.14.14.0/24.
- FGT2 has a static blackhole route for the prefix 14.14.14.0/24.
- FGT1 has a static route for the prefix 14.14.14.0/24 pointing to FGT2 as the next-hop.
- FGT2 should block Type3 messages for every echo-request generated by the user's PC. 192.168.11.15 toward host in 14.14.14.0/24 subnet.
Solution
- Configuring IPS signatures for Type3 Code0, Type3 Code1, Type3 Code3:
Custom signature syntax:
F-SBID( --<option1> [<value1>]; --<option2> [<value2>];...)
F-SBID( --name "ICMP.type_3,code_0.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 0; )
F-SBID( --name "ICMP.type_3,code_1.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 1; )
F-SBID( --name "ICMP.type_3,code_3.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 3; )
F-SBID( --name "ICMP.type_3,code_4.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 4; )
FGT2 # config ips custom
FGT2 (custom) # edit Type3Code0
FGT2 (Type3Code0) # set signature "F-SBID( --name "ICMP.type_3,code_0.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 0; )"
FGT2 (Type3Code0) # set action block
FGT2 (Type3Code0) # next
FGT2 (custom) # edit Type3Code1
FGT2 (Type3Code1) # set signature "F-SBID( --name "ICMP.type_3,code_1.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 1; )"
FGT2 (Type3Code1) # set action block
FGT2 (Type3Code1) # next
FGT2 (custom) # edit Type3Code3
FGT2 (Type3Code3) # set signature "F-SBID( --name "ICMP.type_3,code_3.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 3; )"
FGT2 (Type3Code3) # set action block
FGT2 (Type3Code3) # next
FGT2 (custom) # edit Type3Code4
FGT2 (Type3Code4) # set signature "F-SBID( --name "ICMP.type_3,code_4.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 4; )"
FGT2 (Type3Code4) # set action block
FGT2 (Type3Code4) # next
FGT2 (Type3Code4) # end
FGT2 (custom) # config ips custom
FGT2 (custom) # show
config ips custom
edit "Type3Code0"
set signature "F-SBID( --attack_id 4931; --name ICMP.type_3,code_0.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 0; )"
set action block
set comment ''
next
edit "Type3Code1"
set signature "F-SBID( --attack_id 1771; --name ICMP.type_3,code_1.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 1; )"
set action block
set comment ''
next
edit "Type3Code3"
set signature "F-SBID( --attack_id 2315; --name ICMP.type_3,code_3.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 3; )"
set action block
set comment ''
next
edit "Type3Code4"
set signature "F-SBID( --attack_id 8154; --name ICMP.type_3,code_4.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 4; )"
set action block
set comment ''
next
end
-
Configuring IPS sensor (rule numbers under 'set rule' are equal to attack_id from above):
FGT2 (ICMP_Type3_Profile) # show
config ips sensor
edit "ICMP_Type3_Profile"
config entries
edit 1
set rule 4931 1771 2315 8154
set status enable
set log-packet enable
set action block
next
end
next
end -
Configuring interface-policy and applying policy to the FGT2’s interface facing FGT1:
FGT2 (interface-policy) # show
config firewall interface-policy
edit 1
set interface port3
set srcaddr "all"
set dstaddr "all"
set service "ALL_ICMP"
set ips-sensor-status enable
set ips-sensor "ICMP_Type3_Profile"
next
end
Verification.
Before applying firewall interface-policy:
root@client:~# ping 14.14.14.14
PING 14.14.14.14 (14.14.14.14) 56(84) bytes of data.
From 20.20.20.20 icmp_seq=1 Destination Net Unreachable
From 20.20.20.20 icmp_seq=2 Destination Net Unreachable
From 20.20.20.20 icmp_seq=3 Destination Net Unreachable
From 20.20.20.20 icmp_seq=4 Destination Net Unreachable
FGT2 # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
4.285542 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
4.285671 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
5.286351 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
5.286471 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
6.287305 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
6.287385 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
7.289002 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
7.289060 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
After applying the firewall interface-policy:
root@client:~# ping 14.14.14.14
PING 14.14.14.14 (14.14.14.14) 56(84) bytes of data.
^C
--- 14.14.14.14 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 6142ms
FGT2 # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
11.673391 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
12.694983 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
13.719047 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
14.743034 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
To verify in the GUI, go to Log & Report -> Intrusion Prevention:
Related article:
Troubleshoot Tip: How ip-conn Log ID 0000000011 dns logs are generated
