Technical Tip: Hiding FortiGate interface IP in trace route result when in NAT mode

acp · ‎12-02-2021

Description

This article describes the FortiGate NAT traceroute IP address is disabled.

Scope

FortiGate.

Solution

Create a custom service for ICMP type 11 code 0.

config firewall service custom

edit "ICMP_TYPE 11"

set protocol ICMP

set icmptype 11

set icmpcode 0

Create an IPS profile using the below-submitted signature.

F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )

src_addr of the signature to that, of FortiGate's IP.

Create a policy based on the interface as shown below:

config firewall interface-policy

edit 1

set interface xxx <----- xxx interface through which ICMP traffic is received.

set srcaddr "all"

set dstaddr yyyy <----- yyyy would be the IP of the concentrator.

set service " ICMP_TYPE 11" <----- Custom icmp service created earlier.

set ips-sensor-status enable

set ips-sensor "default" <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature.

Note:

It is possible to hide RFC1918 private ip address with below custom ips signature 'F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; src_addr 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16; --icmp_type 11; --icmp_code 0; )'

Technical Tip: Hiding FortiGate interface IP in trace route result when in NAT mode

You are leaving our website