|
Either FortiGate hardware appliance or FortiGate-VM should check the forwarding policies before replying with the ICMP TTL exceeded packet based on RFC 1812:
- If allowed, the packet with TTL=1 is dropped, and an ICMP TTL exceeded packet will be sent to the source.
- If denied, the packet with TTL=1 is dropped and no reply is sent out.
Example 1:
As for the FortiGate, when a deny firewall policy for all is set and a packet with the TTL=1 is received, it does not respond to the source with 'icmp: time exceeded in-transit'.
root@ted:/home/ted/Desktop# traceroute -n -w 1 -m 20 -T -p 7999 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 20 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
FortiGate-601E # diagnose sniffer packet any 'none' 4 0 l
interfaces=[any]
filters=[none]
2025-06-16 23:05:35.513460 port2 in 10.0.0.2.35729 -> 8.8.8.8.7999: syn 3444695382
2025-06-16 23:05:35.513935 port2 in 10.0.0.2.52325 -> 8.8.8.8.7999: syn 3413026689
2025-06-16 23:05:35.514087 port2 in 10.0.0.2.44621 -> 8.8.8.8.7999: syn 1978811126
Example 2:
If a policy to allow all is set, the FortiGate responds to the source with 'icmp: time exceeded in-transit'.
root@ted:/home/ted/Desktop# traceroute -n -w 1 -m 20 -T -p 7999 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 20 hops max, 60 byte packets
1 10.0.0.253 1.252 ms 0.974 ms 0.779 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
FortiGate-601E # diagnose sniffer packet any 'none' 4 0 l
interfaces=[any]
filters=[none]
2025-06-16 23:04:09.771317 port2 in 10.0.0.2.56717 -> 8.8.8.8.7999: syn 3723035076
2025-06-16 23:04:09.771558 port2 in 10.0.0.2.41577 -> 8.8.8.8.7999: syn 3779426166
2025-06-16 23:04:09.771701 port2 in 10.0.0.2.56759 -> 8.8.8.8.7999: syn 3762780160
2025-06-16 23:04:09.771803 port2 out 10.0.0.253 -> 10.0.0.2: icmp: time exceeded in-transit
2025-06-16 23:04:09.771804 port2 out 10.0.0.253 -> 10.0.0.2: icmp: time exceeded in-transit
2025-06-16 23:04:09.771805 port2 out 10.0.0.253 -> 10.0.0.2: icmp: time exceeded in-transit
Example 3:
However, the FortiGate VM responds with an 'icmp: time exceeded in-transit' packet for the packet with TTL=1, despite the deny policy enabled for all.
root@ted:/home/ted/Desktop# traceroute -n -w 1 -m 20 -T -p 7999 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 20 hops max, 60 byte packets
1 10.0.1.253 0.750 ms 0.699 ms 0.681 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
FortiGate-VM64 # diagnose sniffer packet any 'none' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[none]
2025-06-17 19:31:38.990202 port1 in 10.0.1.11.33881 -> 8.8.8.8.7999: syn 4179144013
2025-06-17 19:31:38.990220 port1 in 10.0.1.11.44383 -> 8.8.8.8.7999: syn 2806653660
2025-06-17 19:31:38.990241 port1 in 10.0.1.11.33543 -> 8.8.8.8.7999: syn 2570957358
2025-06-17 19:31:38.990281 port1 out 10.0.1.253 -> 10.0.1.11: icmp: time exceeded in-transit
2025-06-17 19:31:38.990306 port1 out 10.0.1.253 -> 10.0.1.11: icmp: time exceeded in-transit
2025-06-17 19:31:38.990335 port1 out 10.0.1.253 -> 10.0.1.11: icmp: time exceeded in-transit
The issue that a FortiGate-VM sends out the ICMP TTL exceeded packet without checking firewall policies will be fixed in the following versions.
- v7.6.4 (available on the Fortinet support portal).
- v8.0.0 (scheduled to be released in February 2026).
- v7.4.10 (No release date available yet).
These timelines for firmware release are estimates and may be subject to change.
|
