Description | This article describes Fortigate NAT traceroute IP address disable. |
Scope |
|
Solution |
1) Create a custom service for ICMP type 11 code 0.
# config firewall service custom edit "ICMP_TYPE 11" set protocol ICMP set icmptype 11 set icmpcode 0 next end
2) Create an IPS profile using the below submitted signature.
F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )
src_addr of the signature to that, of Fortigate's IP.
3) Then create a policy based on the interface as shown below:
# config firewall interface-policy edit 1 set interface xxx <----- xxx interface through which icmp traffic is received. set srcaddr "all" set dstaddr yyyy <----- yyyy would be the IP of the concentrator. set service " ICMP_TYPE 11" <----- Custom icmp service created earlier. set ips-sensor-status enable set ips-sensor "default" <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature. next |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.