This article demonstrates an example of how to block ICMP timestamps and replies for internal traffic that originates from behind the FortiGate.

The following topology is used:
               

The goal is to block ICMP timestamp and replies that originated from machine behind port1 going to ANY internal interface.

1. Create a firewall service for ICMP type 13 (timestamp request) and type 14 (timestamp replies):
   
   

config firewall service custom

    edit "TIMESTAMP"
        set protocol ICMP
        set icmptype 13
        unset icmpcode
    next

    edit "TIMESTAMP_Replies"
        set protocol ICMP
        set icmptype 14
        unset icmpcode
    next
end

2. Create a firewall policy to block timestamp requests on the internal interface as follows:

config firewall policy
    edit 0                                            
        set name "Block_ICMP_Type13&14"
        set srcintf "port1"
        set dstintf "any"
        set srcaddr "Local_Subnet"
        set dstaddr "all"
        set schedule "always"
        set service "TIMESTAMP" "TIMESTAMP_Replies"     <----- Services created above.
        set logtraffic all
    next
end

Note: 

'edit 0' will create a new policy using the next unused policy ID. 

Results:

Before the traffic is initiated: No traffic hitting the policy.

After the traffic is initiated: 

Logs:

ICMP timestamp traffic is being denied.

Note:

By default, normal ping through Windows does not send ICMP timestamp requests in it.

To test the ICMP timestamp traffic, a tool such as hping3 or Nmap can be used to generate traffic.

https://linux.die.net/man/8/hping3

The following shows how traffic can be initiated through NMAP: target IP has to be mentioned in the target field.


Note: ICMP timestamps can also be blocked using 'local-in policy' if it is destined to the FortiGate interface.
Reference: Technical Tip: Block ICMP timestamp on FortiGate interface while keeping ping enabled.