Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
M_Abdelhamid
Staff
Staff

Created on ‎05-30-2024 07:16 AM

Article Id 318148

Technical Tip: Configuring IPv4 to allow ICMP traffic while performing NAT64 or NAT46

Description

 

This article describes how to configure IPv4 policies to allow ICMP service, so the policies will not drop legitimate traffic while performing NAT64 or NAT46.

 

Scope

 

All.

 

Solution

 

As known, if the traffic does not match the service ('port range and protocol defined in the service') then the traffic will not match the policy and will be dropped.

 

And to allow the traffic to hit a policy with any of the below entities or similar that have NAT64 or NAT46 enabled:

 

config firewall vip6

    edit <VIP NAME>

        set ipv4-mappedip 172.16.200.55 <--

end

 

config firewall ippool
    edit <IP POOL NAME>
        set nat64 enable <--
end

 

Then it is needed that both 'ICMP and ICMPv6' services to be configured in the policy. This is because the FortiGate does 2 policy checks one on the ipv6 side and one on the ipv4 side. ICMP and icmp6 are different protocols.

 

config firewall policy

    edit <POLICY_ID>

        set service "ALL_ICMP6" "ALL_ICMP" <--

end

491
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.