Technical Tip: How to allow ping and block traceroute with app control

syao · ‎11-20-2024

Description

This article explains how to configure application control to block traceroute while allowing ping.

Scope

FortiGate v6.4.X, v7.X.

Solution

Blocking traceroute (when it uses ICMP instead of UDP) using a service object with a firewall policy while allowing ping is not achievable hence an App Control is needed.

Create application profile that will allow traceroute and block ping:

app control.png

In CLI:

config application list

edit "Block-Traceroute"
set comment "Allow ping but block trace"
set other-application-log enable
set unknown-application-log enable
config entries
edit 1
set application 32304
set log disable
next
edit 2
set application 24466
set action pass
set log disable
next
end
next
end

Create a firewall policy and reference the app control profile created from step 1:

config firewall policy
edit 1
set name "Allow-Ping"
set srcintf "port3"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL_ICMP"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "Block-Traceroute"
set nat enable
next
end

Debugging and verification:

Juara-kvm30 # diagnose ips debug enable all

Juara-kvm30 # diagnose debug enable

Juara-kvm30 # diagnose debug console timestamp enable

Juara-kvm30 # 2024-11-20 10:45:11 [2409@-1]ips_run_packet_prepare: got a packet, id=0, size=60

Juara-kvm30 # 2024-11-20 10:59:05 [2485@-1]ips_run_packet_prepare: got a packet, id=39, size=60
2024-11-20 10:59:05 [2485@-1]ips_process_event: ctx 0: 5 => 0
2024-11-20 10:59:05
PACKET id:39 len:60 vf:0 vrf:0 fw:1 view:3 derived:0 encap:0 log:(traffic:0 pre:1 post:0)
imp2p:0x0 proxy:0x0 features:0x4 flowutm:1 input:raw
10.129.3.71 -> 9.9.9.9 protocol:1
IP length:60b, header:20b, ttl:127, tos:0, id:27749
ICMP payload:32b, type:8, code:0

2024-11-20 10:59:05 [2485@-1]ips_run_decode: ips_pkt_id: 39
2024-11-20 10:59:05 0000 45 00 00 3C 6C 65 00 00 7F 01 AF 82 0A 81 03 47 E..<le.........G
2024-11-20 10:59:05 0010 09 09 09 09 08 00 4D 24 00 01 00 37 61 62 63 64 ......M$...7abcd
2024-11-20 10:59:05 0020 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 efghijklmnopqrst
2024-11-20 10:59:05 0030 75 76 77 61 62 63 64 65 66 67 68 69 uvwabcdefghi
2024-11-20 10:59:05
2024-11-20 10:59:05 [2485@-1]ips_run_session_verdict_check: can't find session
2024-11-20 10:59:05 [2485@-1]ips_create_session: enter
2024-11-20 10:59:05 [2485@-1]ips_create_session: set ignore_app_after_size from 204800 to 2048 by dependencies of 0 Root
2024-11-20 10:59:05 [2485@9]ips_dsct_icmp_processor: serial=7883 ICMP session created
2024-11-20 10:59:05 [2485@9]ips_dsct_session_loop: serial=7883 ignore dissectors
2024-11-20 10:59:05 [2485@9]ips_process_event: ctx 0: 0 => 1
2024-11-20 10:59:05 [2485@9]ips_process_event: ctx 0: 1 => 1
2024-11-20 10:59:05 [2485@9]ips_process_event: ctx 0: 1 => 1
2024-11-20 10:59:05 [2485@9]ipsa_adapter_search_prepare: IPSA search is not enabled.!
2024-11-20 10:59:05 [2485@9]ips_process_event: ctx 0: 1 => 2
2024-11-20 10:59:05 [2485@9]ips_process_event: ctx 0: 2 => 4
2024-11-20 10:59:05 [2485@9]ips_match_rule: pattern matched 24466,23608: Ping
2024-11-20 10:59:05 [2485@9]ips_match_rule: matched rule 24466 23608 Ping (weight:5)
2024-11-20 10:59:05 [2485@9]ips_match_candidates: set best rule 24466 23608 Ping
2024-11-20 10:59:05 [2485@9]ips_set_pkt_verdict: action=PASS
2024-11-20 10:59:05 [2485@9]ips_report_alert_va_internal: v_id=24466, a_id=23608, log=0, log_pkt=0
2024-11-20 10:59:05 [2485@9]ips_log: id=24466 conf=0xc5, action=0
2024-11-20 10:59:05 [2485@9]ips_process_event: ctx 0: 4 => 3
2024-11-20 10:59:05 [2485@9]ips_handle_pkt_verdict: pass a packet, size=60
2024-11-20 10:59:05 [2485@9]ips_process_event: ctx 0: 3 => 5
2024-11-20 10:59:05 [2485@-1]ips_run_packet_prepare: got a packet, id=40, size=60
2024-11-20 10:59:05 [2485@-1]ips_process_event: ctx 0: 5 => 0

PACKET id:41 len:92 vf:0 vrf:0 fw:1 view:3 derived:0 encap:0 log:(traffic:0 pre:1 post:0)
imp2p:0x0 proxy:0x0 features:0x4 flowutm:1 input:raw
10.129.3.71 -> 9.9.9.9 protocol:1
IP length:92b, header:20b, ttl:1, tos:0, id:27753
ICMP payload:64b, type:8, code:0

2024-11-20 10:59:30 [2485@-1]ips_run_decode: ips_pkt_id: 41
2024-11-20 10:59:30 0000 45 00 00 5C 6C 69 00 00 01 01 2D 5F 0A 81 03 47 E..\li....-_...G
2024-11-20 10:59:30 0010 09 09 09 09 08 00 F7 C3 00 01 00 3B 00 00 00 00 ...........;....
2024-11-20 10:59:30 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2024-11-20 10:59:30 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2024-11-20 10:59:30 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
2024-11-20 10:59:30 0050 00 00 00 00 00 00 00 00 00 00 00 00 ............
2024-11-20 10:59:30
2024-11-20 10:59:30 [2485@-1]ips_run_session_verdict_check: can't find session
2024-11-20 10:59:30 [2485@-1]ips_create_session: enter
2024-11-20 10:59:30 [2485@-1]ips_create_session: set ignore_app_after_size from 204800 to 2048 by dependencies of 0 Root
2024-11-20 10:59:30 [2485@10]ips_dsct_icmp_processor: serial=7883 ICMP session created
2024-11-20 10:59:30 [2485@10]ips_dsct_session_loop: serial=7883 ignore dissectors
2024-11-20 10:59:30 [2485@10]ips_process_event: ctx 0: 0 => 1
2024-11-20 10:59:30 [2485@10]ips_process_event: ctx 0: 1 => 1
2024-11-20 10:59:30 [2485@10]ips_process_event: ctx 0: 1 => 1
2024-11-20 10:59:30 [2485@10]ipsa_adapter_search_prepare: IPSA search is not enabled.!
2024-11-20 10:59:30 [2485@10]ips_process_event: ctx 0: 1 => 2
2024-11-20 10:59:30 [2485@10]ips_process_event: ctx 0: 2 => 4
2024-11-20 10:59:30 [2485@10]ips_match_rule: pattern matched 32304,34215: Trace.Route
2024-11-20 10:59:30 [2485@10]ips_match_rule: matched rule 32304 34215 Trace.Route (weight:10)
2024-11-20 10:59:30 [2485@10]ips_match_candidates: set best rule 32304 34215 Trace.Route
2024-11-20 10:59:30 [2485@10]ips_set_pkt_verdict: action=DROP
2024-11-20 10:59:30 [2485@10]ips_report_alert_va_internal: v_id=32304, a_id=34215, log=0, log_pkt=0
2024-11-20 10:59:30 [2485@10]ips_log: id=32304 conf=0xc5, action=1
2024-11-20 10:59:30 [2485@10]match_app: disarm ftgd queries when request is to be blocked.
2024-11-20 10:59:30 [2485@10]ips_process_event: ctx 0: 4 => 3
2024-11-20 10:59:30 [2485@10]ips_handle_pkt_verdict: drop a packet, size=92
2024-11-20 10:59:30 [2485@10]ips_process_event: ctx 0: 3 => 5
2024-11-20 10:59:34 [2485@-1]ips_run_packet_prepare: got a packet, id=42, size=92
2024-11-20 10:59:34 [2485@-1]ips_process_event: ctx 0: 5 => 0

trace result.png

Note:

The first hop is showing as the traffic is treated as local by the FortiGate, use interface firewall policy to hide the FortiGate IP address from showing in the traceroute: Technical Tip: Hiding FortiGate interface IP in trace route result when in NAT mode