Technical Tip: Blocking ICMP type 3 messages (Destination Unreachable) replies after advertising a blackhole route to the network

jalanisrocha · ‎10-16-2019

Description
In case DNAT/Static NAT is in use for a subnet that is different than the WAN interface, routing information to this subnet should be advertised to the network.
A commonly used method to advertise those prefixes is with the use of a static route with blackhole enabled, so that this prefix will be available to be redistributed to any routing protocol.

However, there’s a security concern when a blackhole route is redistributed to the network, if a host tries to ping an address included in this range, the FortiGate will reply with an ICMP type 3 message (Destination Unreachable), which can be associated to multiple kinds of attacks.
This article explains how to configure the FortiGate to filter any ICMP echo to an IP Address matching the blackhole route, so that it will not reply with an ICMP Type 3 message.

Solution
Topology:

Details:
1) FGT1 should allow communication from the internet to the Server with the external IP 192.0.10.10.
2) Prefix 192.0.10.10/24 was allocated for this customer.
3) FGT1 and FGT2 run EBGP, and the prefix 192.0.10.0/24 should be advertised from FGT1 to FGT2.
4) ICMP requests to IP addresses in the range of 192.0.10.0/24 with no static NAT rule should be dropped.

Configuration:

1) Configuring the blackhole route for the allocated prefix:

#FGT1 # show router static
config router static
    edit 1
        set dst 192.0.10.0 255.255.255.0
        set blackhole enable
    next
end
2) Advertising this route to BGP:

#FGT1 # show router bgp
config router bgp
…
config redistribute "static"
        set status enable
    end
3) Configuring a VIP as a static NAT for the server:

#config firewall vip
    edit "VIP-Server"
        set uuid c3973916-ec3c-51e9-ff5f-6962ff6aed62
        set extip 192.0.10.10
        set extintf "port3"
        set mappedip "192.168.20.30"
    next
end
4) Configuring a firewall policy to allow the traffic from the internet to the server:

#FGT1 # show firewall policy 1
config firewall policy
    edit 1
        set name "3-5-VIP"
        set uuid c9c1bd7a-ef20-51e9-bcac-899d5242fc50
        set srcintf "port3"
        set dstintf "port5"
        set srcaddr "all"
        set dstaddr "VIP-Server"
        set action accept
        set schedule "always"
        set service "ALL "
        set fsso disable
    next
end

At this point FGT1 allows inbound connections for the VIP and FGT2 can reach the server using the public address:

#FGT2 # get router info routing-table bgp

Routing table for VRF=0
B       192.0.10.0/24 [20/0] via 192.0.2.1, port1, 01:01:26

FGT2 # exec ping 192.0.10.10
PING 192.0.10.10 (192.0.10.10): 56 data bytes
64 bytes from 192.0.10.10: icmp_seq=0 ttl=127 time=1.3 ms
64 bytes from 192.0.10.10: icmp_seq=1 ttl=127 time=1.2 ms
64 bytes from 192.0.10.10: icmp_seq=2 ttl=127 time=1.1 ms
64 bytes from 192.0.10.10: icmp_seq=3 ttl=127 time=1.2 ms
64 bytes from 192.0.10.10: icmp_seq=4 ttl=127 time=1.0 ms

--- 192.0.10.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.1/1.3 ms
However, if FGT2 pings another address in the same range, FGT2 will still reply with an ICMP Type 3 message to those requests:

#FGT2 # exec ping 192.0.10.1
PING 192.0.10.1 (192.0.10.1): 56 data bytes
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)

--- 192.0.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
The way to prevent the FortiGate from replying with these messages is by configuring a Local-in policy on FGT1 denying ICMP requests to the subnet 192.0.10.0/24:

#FGT1 # show firewall local-in-policy
config firewall local-in-policy
    edit 1
        set intf "port3"
        set srcaddr "all"
        set dstaddr "192.0.10.0/24"
        set service "ALL_ICMP"
        set schedule "always"
    next
end
After this, FGT2 will not receive a reply from FGT1 while pinging any other address which does not match a static NAT rule and it will reply to addresses with a VIP configured for them:

#FGT2 # exec ping 192.0.10.1
PING 192.0.10.1 (192.0.10.1): 56 data bytes

--- 192.0.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

#FGT2 # exec ping 192.0.10.10
PING 192.0.10.10 (192.0.10.10): 56 data bytes
64 bytes from 192.0.10.10: icmp_seq=0 ttl=127 time=1.1 ms
64 bytes from 192.0.10.10: icmp_seq=1 ttl=127 time=2.0 ms
64 bytes from 192.0.10.10: icmp_seq=2 ttl=127 time=1.0 ms
64 bytes from 192.0.10.10: icmp_seq=3 ttl=127 time=4.2 ms
64 bytes from 192.0.10.10: icmp_seq=4 ttl=127 time=1.0 ms

--- 192.0.10.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.8/4.2 ms
No other addresses will be affected by the Local-in policy, ping to the BGP neighbor of FGT2 works:

#FGT2 # exec ping 192.0.2.1
PING 192.0.2.1 (192.0.2.1): 56 data bytes
64 bytes from 192.0.2.1: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=4 ttl=255 time=0.1 ms

--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms