FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acp
Staff
Staff
Article Id 200121
Description This article describes the FortiGate NAT traceroute IP address is disabled.
Scope

FortiGate.

Solution
  1. Create a custom service for ICMP type 11 code 0.

 

config firewall service custom

    edit "ICMP_TYPE 11"

        set protocol ICMP

        set icmptype 11

        set icmpcode 0

    next

end

 

  1. Create an IPS profile using the below-submitted signature.

 

F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )

 

src_addr of the signature to that, of FortiGate's IP.

 

  1. Create a policy based on the interface as shown below:

 

config firewall interface-policy

    edit 1

        set interface xxx <----- xxx interface through which ICMP traffic is received.

        set srcaddr "all"

        set dstaddr yyyy <----- yyyy would be the IP of the concentrator.

       set service " ICMP_TYPE 11" <----- Custom icmp service created earlier.

       set ips-sensor-status enable

       set ips-sensor "default"  <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature.

 

Note:

It is possible to hide RFC1918 private ip address with below custom ips signature  'F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; src_addr 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16; --icmp_type 11; --icmp_code 0; )' 

Contributors