Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
btey
Staff & Editor
Staff & Editor

Created on ‎07-23-2024 10:47 PM Edited on ‎04-01-2025 06:12 AM By Community Manager

Article Id 323438

Technical Tip: ICMP unreachable logging and policy matching

Description This article describes the method to generate ICMP unreachable logs and the policy matching.
Scope FortiGate.
Solution

To generate ICMP log message:

 

config log setting

    set log-invalid-packet enable

end

 

In FortiOS v7.4.X and above, the command shown above has been replaced with the following:

 

config log setting

    set extended-log enable

end

 

The ICMP log is generated as below:

 

ICMP unreachable.png

 

log detail.PNG

 

The log matched policy ID 2 even though the source field does not match.

firewall policy.png

 

Policy ID 2 allowed the ICMP unreachable packet because the encapsulated IP header matches the existing session.

 

ICMPdata.png
827
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.