Technical Tip: Configure IPv6 policy to send RST when the firewall rule blocks that traffic.

syordanov · ‎10-02-2025

Description

This article describes how to configure FortiGate to send TCP RST or ICMP6 'unreachable prohibited' for a blocked traffic.

Scope

FortiOS 7.2, 7.4, 7.6

Solution

By default FortiOS does not send TCP RST for blocked traffic (IPv4 and IPv6). There are settings (policy and system settings) which can be adjusted, so FortiGate can send RST to the client or ICMP6 'unreachable prohibited'.

Topology:

FortiGate port2 and port4 interface configuration:

edit "port2"
set vdom "root"
set ip 192.168.183.1 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 2
config ipv6
set ip6-address 2a00:9480:10:1::1:1/64
set ip6-allowaccess ping https http fgfm fabric
end
next

edit "port4"
set vdom "root"
set type physical
set snmp-index 4
config ipv6
set ip6-address 2a00:9480:11:1::1:1/64
set ip6-allowaccess ping https ssh snmp http fgfm
end
next

Firewall rule which blocks the traffic from IPv6 2a00:9480:10:1::1:2 towards destination IPv6 2a00:9480:11:1::1:2:

config firewall policy
edit 1
set name "policyipv6"
set uuid c9bb478e-3a14-51f0-04ea-ce5e10a20495
set srcintf "port2"
set dstintf "port4"
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL_ICMP6" "ALL_TCP" "ALL_UDP"
set logtraffic disable
next
end

By default when traffic from 2a00:9480:10:1::1:2 for destination 2a00:9480:11:1::1:2 is received, because of the policy No1, FortiOS will block(action deny) that traffic without sending any packet to the client.

Output from diagnose sniffer:

diagnose sniffer packet any " host 2a00:9480:10:1::1:2" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ host 2a00:9480:10:1::1:2]
2.305612 port2 in 2a00:9480:10:1::1:2.57978 -> 2a00:9480:11:1::1:2.23: syn 3939747311 [flowlabel 0x717e7]
3.334077 port2 in 2a00:9480:10:1::1:2.57978 -> 2a00:9480:11:1::1:2.23: syn 3939747311 [flowlabel 0xa8efd]
5.350134 port2 in 2a00:9480:10:1::1:2.57978 -> 2a00:9480:11:1::1:2.23: syn 3939747311 [flowlabel 0x9b918]
9.610156 port2 in 2a00:9480:10:1::1:2.57978 -> 2a00:9480:11:1::1:2.23: syn 3939747311 [flowlabel 0x11401]
17.798305 port2 in 2a00:9480:10:1::1:2.57978 -> 2a00:9480:11:1::1:2.23: syn 3939747311 [flowlabel 0x2d1bf]
33.926799 port2 in 2a00:9480:10:1::1:2.57978 -> 2a00:9480:11:1::1:2.23: syn 3939747311 [flowlabel 0x7d7b5]
66.183311 port2 in 2a00:9480:10:1::1:2.57978 -> 2a00:9480:11:1::1:2.23: syn 3939747311 [flowlabel 0x64625]

If the policy No1 has the 'set send-deny-packet enable' , FortiOS will start to send RST packets:

diagnose sniffer packet any " host 2a00:9480:10:1::1:2" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ host 2a00:9480:10:1::1:2]
2.560202 port2 in 2a00:9480:10:1::1:2.48202 -> 2a00:9480:11:1::1:2.23: syn 4264794885 [flowlabel 0xc47f4]
2.560268 port2 out 2a00:9480:11:1::1:2.23 -> 2a00:9480:10:1::1:2.48202: rst 0 ack 4264794886

The client receives the message 'telnet: Unable to connect to remote host: Connection refused' . The source IPv6 for the RST packet is the IPv6 address of the server.

ForitOS provides a mechanism to change the source IPv6 address and instead of 2a00:9480:11:1::1:2 FortiOS can respond with the IPv6 address assigned to port2 . Instead RST packet, FortiGate will send an ICMP6 'unreachable prohibited'

When the configuration bellow is in place :

config system settings
set deny-tcp-with-icmp enable <----- By default is disabled.
end

And:

config firewall policy

edit 1

set name "policyipv6"

set uuid c9bb478e-3a14-51f0-04ea-ce5e10a20495

set srcintf "port2"

set dstintf "port4"

set srcaddr6 "all"

set dstaddr6 "all"

set schedule "always"

set service "ALL_ICMP6" "ALL_TCP" "ALL_UDP"

set logtraffic disable

set send-deny-packet enable <----- Disabled by default.

next
end

Output from sniffer:

diagnose sniffer packet any " host 2a00:9480:10:1::1:2" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ host 2a00:9480:10:1::1:2]
2.576911 port2 in 2a00:9480:10:1::1:2.49646 -> 2a00:9480:11:1::1:2.23: syn 2939366281 [flowlabel 0x1fdae]
2.576986 port2 out 2a00:9480:10:1::1:1 -> 2a00:9480:10:1::1:2: icmp6: 2a00:9480:11:1::1:2 unreachable prohibited
4.032008 port2 in 2a00:9480:10:1::1:2.49654 -> 2a00:9480:11:1::1:2.23: syn 1476236024 [flowlabel 0x81c4]
4.032132 port2 out 2a00:9480:10:1::1:1 -> 2a00:9480:10:1::1:2: icmp6: 2a00:9480:11:1::1:2 unreachable prohibited
4.788334 port2 in 2a00:9480:10:1::1:2.49656 -> 2a00:9480:11:1::1:2.23: syn 3053944309 [flowlabel 0x43d92]
4.788505 port2 out 2a00:9480:10:1::1:1 -> 2a00:9480:10:1::1:2: icmp6: 2a00:9480:11:1::1:2 unreachable prohibited
5.344532 port2 in 2a00:9480:10:1::1:2.49658 -> 2a00:9480:11:1::1:2.23: syn 4919032 [flowlabel 0x67e2d]
5.344659 port2 out 2a00:9480:10:1::1:1 -> 2a00:9480:10:1::1:2: icmp6: 2a00:9480:11:1::1:2 unreachable prohibited

Summary:

Without 'set send-deny-packet enable' and 'deny-tcp-with-icmp enable', FortiGate will not send any 'RST/ICMP unreachable' packet to the client.

With only 'set send-deny-packet enable' , FortiGate will send RST packets to the client.

With 'set send-deny-packet enable' and 'deny-tcp-with-icmp enable', FortiGate will send 'ICMP6 unreachable prohibited' to the client.

Technical Tip: Configure IPv6 policy to send RST when the firewall rule blocks that traffic.

You are leaving our website