FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dkochhar
Staff
Staff
Article Id 362523
Description This article describes how to block ICMP timestamps and replies for internal traffic that originates from behind the FortiGate.
Scope FortiGate.
Solution

This article demonstrates an example of how to block ICMP timestamps and replies for internal traffic that originates from behind the FortiGate.


The following topology is used:
               NW.png

 

Our goal is to block ICMP timestamp and replies that originated from machine behind port 1 going to ANY internal interface.

 

  1. Create a firewall service for ICMP type 13 (timestamp request) and type 14 (timestamp replies):

    edit "TIMESTAMP"
        set protocol ICMP
        set icmptype 13
        unset icmpcode
    next
end

    edit "TIMESTAMP_Replies"
        set protocol ICMP
        set icmptype 14
        unset icmpcode
    next
end

 

  1. Create a firewall policy to block timestamp requests on the internal interface as follows:


config firewall policy
    edit 1
        set name "Block_ICMP_Type13&14"
        set srcintf "port1"
        set dstintf "any"
        set srcaddr "Local_Subnet"
        set dstaddr "all"
        set schedule "always"
        set service "TIMESTAMP" "TIMESTAMP_Replies"     <---------- Services created above.
        set logtraffic all
    next
end

 

Results:


Before the traffic is initiated: No traffic hitting the policy.


ICMPTYPE-1.png

 

After the traffic is initiated: 

ICMP_TYPE-2.png


Logs:
ICMP timestamp traffic is being denied.

ICMP_TYPE-3.png

 

Note: By default, normal ping through Windows does not send ICMP timestamp requests in it.

ICMP.png

 

In order to test the ICMP timestamp traffic, use a tool such as hping3, or Nmap to generate traffic.

https://linux.die.net/man/8/hping3

The following is how traffic can be initiated through NMAP: target IP has to be mentioned in the target field.

ICMP_TYPE-4.png