Description | This article describes how to block ICMP timestamps and replies for internal traffic that originates from behind the FortiGate. |
Scope | FortiGate. |
Solution |
This article demonstrates an example of how to block ICMP timestamps and replies for internal traffic that originates from behind the FortiGate.
The goal is to block ICMP timestamp and replies that originated from machine behind port1 going to ANY internal interface.
config firewall service custom edit "TIMESTAMP" edit "TIMESTAMP_Replies"
Note: 'edit 0' will create a new policy using the next unused policy ID.
Results:
After the traffic is initiated:
ICMP timestamp traffic is being denied.
Note: By default, normal ping through Windows does not send ICMP timestamp requests in it.
To test the ICMP timestamp traffic, a tool such as hping3 or Nmap can be used to generate traffic. https://linux.die.net/man/8/hping3 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.