Description

This article describes the method to prevent the public FortiGate interface from responding to ping requests.

Scope

This is a feature introduced starting from version 5.6

Solution

The factory default configuration of the interface of the the default public / external / Internet interface is to respond to ping requests.
It is usually connected to the Internet.

Note:

Depending on the model of the FortiGate unit the actual name of this interface will vary. For the most secure operation, change the configuration of the external interface so that it does not respond to ping requests.

Not responding to ping requests makes it more difficult for a potential attacker to detect FortiGate unit from the Internet. For example, Denial of Service (DoS) attacks (e.g. a smurf attack) are designed to overwhelm network systems.

A FortiGate unit responds to ping requests if ping for administrative access is enabled for that interface. Use the following procedures to disable ping access for the external interface of a FortiGate unit. Use the same procedures for any FortiGate interface. Same procedures apply for NAT/Route or Transparent mode.

To disable ping administrative access from the web-based manager:

   1. Login to the FortiGate GUI.
   2. Go to Network>Interfaces.
   3. Choose the concerned external interface

   4. select Edit.
   5. Under Administrative Access, uncheck PING check box.
   6. Select OK to save the changes.

To disable ping administrative access from the FortiGate CLI:

   1.    Login to the FortiGate CLI.
   2.    Disable administrative access to the external interface. Run the following commands:

config system interface
    edit <name_of_interface>
    set allowaccess https               <-- here only select respective protocols, don’t give PING
    end

   3.   save with the 'end' command

Example: