Description | This article describes the FortiGate NAT traceroute IP address is disabled. |
Scope |
FortiGate. |
Solution |
config firewall service custom edit "ICMP_TYPE 11" set protocol ICMP set icmptype 11 set icmpcode 0 next end
F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )
src_addr of the signature to that, of FortiGate's IP.
config firewall interface-policy edit 1 set interface xxx <----- xxx interface through which ICMP traffic is received. set srcaddr "all" set dstaddr yyyy <----- yyyy would be the IP of the concentrator. set service " ICMP_TYPE 11" <----- Custom icmp service created earlier. set ips-sensor-status enable set ips-sensor "default" <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature.
Note: It is possible to hide RFC1918 private ip address with below custom ips signature 'F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; src_addr 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16; --icmp_type 11; --icmp_code 0; )' |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.