FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acp
Staff
Staff
Description This article describes Fortigate NAT traceroute IP address disable.
Scope

 

Solution

1) Create a custom service for ICMP type 11 code 0.

 

# config firewall service custom

    edit "ICMP_TYPE 11"

        set protocol ICMP

        set icmptype 11

        set icmpcode 0

    next

end

 

2) Create an IPS profile using the below submitted signature.

 

F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )

 

src_addr of the signature to that, of Fortigate's IP.

 

3) Then create a policy based on the interface as shown below:

 

# config firewall interface-policy

    edit 1

        set interface xxx <----- xxx interface through which icmp traffic is received.

        set srcaddr "all"

        set dstaddr yyyy <----- yyyy would be the IP of the concentrator.

       set service " ICMP_TYPE 11" <----- Custom icmp service created earlier.

       set ips-sensor-status enable

       set ips-sensor "default"  <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature.

next

Contributors