Description
In case DNAT/Static NAT is in use for a subnet that is different than the WAN interface, routing information to this subnet should be advertised to the network.
A commonly used method to advertise those prefixes is with the use of a static route with blackhole enabled, so that this prefix will be available to be redistributed to any routing protocol.
However, there’s a security concern when a blackhole route is redistributed to the network, if a host tries to ping an address included in this range, the FortiGate will reply with an ICMP type 3 message (Destination Unreachable), which can be associated to multiple kinds of attacks.
This article explains how to configure the FortiGate to filter any ICMP echo to an IP Address matching the blackhole route, so that it will not reply with an ICMP Type 3 message.
Solution
Topology:
Details:
1) FGT1 should allow communication from the internet to the Server with the external IP 192.0.10.10.
2) Prefix 192.0.10.10/24 was allocated for this customer.
3) FGT1 and FGT2 run EBGP, and the prefix 192.0.10.0/24 should be advertised from FGT1 to FGT2.
4) ICMP requests to IP addresses in the range of 192.0.10.0/24 with no static NAT rule should be dropped.
Configuration:
1) Configuring the blackhole route for the allocated prefix:
#FGT1 # show router static2) Advertising this route to BGP:
config router static
edit 1
set dst 192.0.10.0 255.255.255.0
set blackhole enable
next
end
#FGT1 # show router bgp3) Configuring a VIP as a static NAT for the server:
config router bgp
…
config redistribute "static"
set status enable
end
#config firewall vip4) Configuring a firewall policy to allow the traffic from the internet to the server:
edit "VIP-Server"
set uuid c3973916-ec3c-51e9-ff5f-6962ff6aed62
set extip 192.0.10.10
set extintf "port3"
set mappedip "192.168.20.30"
next
end
#FGT1 # show firewall policy 1
config firewall policy
edit 1
set name "3-5-VIP"
set uuid c9c1bd7a-ef20-51e9-bcac-899d5242fc50
set srcintf "port3"
set dstintf "port5"
set srcaddr "all"
set dstaddr "VIP-Server"
set action accept
set schedule "always"
set service "ALL "
set fsso disable
next
end
At this point FGT1 allows inbound connections for the VIP and FGT2 can reach the server using the public address:
#FGT2 # get router info routing-table bgpHowever, if FGT2 pings another address in the same range, FGT2 will still reply with an ICMP Type 3 message to those requests:
Routing table for VRF=0
B 192.0.10.0/24 [20/0] via 192.0.2.1, port1, 01:01:26
FGT2 # exec ping 192.0.10.10
PING 192.0.10.10 (192.0.10.10): 56 data bytes
64 bytes from 192.0.10.10: icmp_seq=0 ttl=127 time=1.3 ms
64 bytes from 192.0.10.10: icmp_seq=1 ttl=127 time=1.2 ms
64 bytes from 192.0.10.10: icmp_seq=2 ttl=127 time=1.1 ms
64 bytes from 192.0.10.10: icmp_seq=3 ttl=127 time=1.2 ms
64 bytes from 192.0.10.10: icmp_seq=4 ttl=127 time=1.0 ms
--- 192.0.10.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.1/1.3 ms
#FGT2 # exec ping 192.0.10.1The way to prevent the FortiGate from replying with these messages is by configuring a Local-in policy on FGT1 denying ICMP requests to the subnet 192.0.10.0/24:
PING 192.0.10.1 (192.0.10.1): 56 data bytes
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)
Warning: Got ICMP 3 (Destination Unreachable)
--- 192.0.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
#FGT1 # show firewall local-in-policyAfter this, FGT2 will not receive a reply from FGT1 while pinging any other address which does not match a static NAT rule and it will reply to addresses with a VIP configured for them:
config firewall local-in-policy
edit 1
set intf "port3"
set srcaddr "all"
set dstaddr "192.0.10.0/24"
set service "ALL_ICMP"
set schedule "always"
next
end
#FGT2 # exec ping 192.0.10.1No other addresses will be affected by the Local-in policy, ping to the BGP neighbor of FGT2 works:
PING 192.0.10.1 (192.0.10.1): 56 data bytes
--- 192.0.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
#FGT2 # exec ping 192.0.10.10
PING 192.0.10.10 (192.0.10.10): 56 data bytes
64 bytes from 192.0.10.10: icmp_seq=0 ttl=127 time=1.1 ms
64 bytes from 192.0.10.10: icmp_seq=1 ttl=127 time=2.0 ms
64 bytes from 192.0.10.10: icmp_seq=2 ttl=127 time=1.0 ms
64 bytes from 192.0.10.10: icmp_seq=3 ttl=127 time=4.2 ms
64 bytes from 192.0.10.10: icmp_seq=4 ttl=127 time=1.0 ms
--- 192.0.10.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.8/4.2 ms
#FGT2 # exec ping 192.0.2.1
PING 192.0.2.1 (192.0.2.1): 56 data bytes
64 bytes from 192.0.2.1: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.0.2.1: icmp_seq=4 ttl=255 time=0.1 ms
--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms
