Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dkochhar
Staff
Staff

Created on ‎12-06-2024 06:39 AM Edited on ‎01-07-2026 10:52 PM By Community Manager

Article Id 362523

Technical Tip: How to block ICMP timestamp and replies for internal traffic

Description This article describes how to block ICMP timestamps and replies for internal traffic that originates from behind the FortiGate.
Scope FortiGate.
Solution

This article demonstrates an example of how to block ICMP timestamps and replies for internal traffic that originates from behind the FortiGate.


The following topology is used:
               NW.png

 

The goal is to block ICMP timestamps and replies that originated from the machine behind port1 going to ANY internal interface.

 

  1. Create a firewall service for ICMP type 13 (timestamp request) and type 14 (timestamp replies):

config firewall service custom

    edit "TIMESTAMP"
        set protocol ICMP
        set icmptype 13
        unset icmpcode
    next

    edit "TIMESTAMP_Replies"
        set protocol ICMP
        set icmptype 14
        unset icmpcode
    next
end

 

  1. Create a firewall policy to block timestamp requests on the internal interface as follows:


config firewall policy
    edit 0                                            
        set name "Block_ICMP_Type13&14"
        set srcintf "port1"
        set dstintf "any"
        set srcaddr "Local_Subnet"
        set dstaddr "all"
        set schedule "always"
        set service "TIMESTAMP" "TIMESTAMP_Replies"     <----- Services created above.
        set logtraffic all
    next
end

 

Note: 

'edit 0will create a new policy using the next unused policy ID. 

 

Results:

Before the traffic is initiated, no traffic hits the policy.


ICMPTYPE-1.png

 

After the traffic is initiated: 

ICMP_TYPE-2.png


Logs:

ICMP timestamp traffic is being denied.

ICMP_TYPE-3.png

 

Note:

By default, normal ping through Windows does not send ICMP timestamp requests it.

ICMP.png

 

To test the ICMP timestamp traffic, a tool such as hping3 or Nmap can be used to generate traffic.

https://linux.die.net/man/8/hping3

The following shows how traffic can be initiated through NMAP: the target IP has to be mentioned in the target field.

ICMP_TYPE-4.png
Note:

ICMP timestamps can also be blocked using the 'local-in policy' if it is destined to the FortiGate interface.
Reference: Technical Tip: Block ICMP timestamp on FortiGate interface while keeping ping enabled.

 

Also, starting from FortiGate v7.6.0, the 'local-in policy' can now be configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
7302
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.