Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acp
Staff
Staff

Created on ‎12-02-2021 12:57 AM

Article Id 200121

Technical Tip: Hiding FortiGate interface IP in trace route result when in NAT mode

Description This article describes Fortigate NAT traceroute IP address disable.
Scope

 
Solution

1) Create a custom service for ICMP type 11 code 0.

 

# config firewall service custom

    edit "ICMP_TYPE 11"

        set protocol ICMP

        set icmptype 11

        set icmpcode 0

    next

end

 

2) Create an IPS profile using the below submitted signature.

 

F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )

 

src_addr of the signature to that, of Fortigate's IP.

 

3) Then create a policy based on the interface as shown below:

 

# config firewall interface-policy

    edit 1

        set interface xxx <----- xxx interface through which icmp traffic is received.

        set srcaddr "all"

        set dstaddr yyyy <----- yyyy would be the IP of the concentrator.

       set service " ICMP_TYPE 11" <----- Custom icmp service created earlier.

       set ips-sensor-status enable

       set ips-sensor "default"  <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature.

next
1629
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.