Technical Tip: Hiding FortiGate interface IP in tr...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 200121

Description

This article describes the FortiGate NAT traceroute IP address is disabled.

Scope

FortiGate.

Solution

Create a custom service for ICMP type 11 code 0.

config firewall service custom

edit "ICMP_TYPE 11"

set protocol ICMP

set icmptype 11

set icmpcode 0

end

Create an IPS profile using the below-submitted signature.

F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; --src_addr x.x.x.x; --icmp_type 11; --icmp_code 0; )

src_addr of the signature to that, of FortiGate's IP.

Create a policy based on the interface as shown below:

config firewall interface-policy

edit 1

set interface xxx <----- xxx interface through which ICMP traffic is received.

set srcaddr "all"

set dstaddr yyyy <----- yyyy would be the IP of the concentrator.

set service " ICMP_TYPE 11" <----- Custom icmp service created earlier.

set ips-sensor-status enable

set ips-sensor "default" <----- It is necessary to put the name of the created IPs profile that uses the icmp type 11 code 0 personality signature.

Note:

It is possible to hide RFC1918 private ip address with below custom ips signature 'F-SBID( --name "ICMP.TTL.FGT.Custom"; --protocol icmp; src_addr 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16; --icmp_type 11; --icmp_code 0; )'

2525

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Hiding FortiGate interface IP in trace route result when in NAT mode

You are leaving our website