Technical Tip: Why Firewall VIP responds to traceroute?

Benoit_Rech_FTNT · ‎10-04-2012

Purpose

The purpose of this article is to depict why the FortiGate answers to traceroute on the VIP addresses, while such traffic is not allowed by the firewall policies.

Scope

Firewall VIP, and traceroute

Diagram

Expectations, Requirements

Some security tools report that VIP addresses "answer" to traceroute requests, while ICMP_ANY or UDP traffics are not allowed by the firewall policies.

The traceroute tool relies on the TTL field in the IP header, which is contained in UDP packets. This TTL counter is decremented each time the packet is going through a router. While this counter is 1 or less, then the router must send an ICMP type=11, code=0 (Time Exceeded). The traceroute uses this ICMP message to figure out which host it encountered.

According to the RFC1812,

"If the TTL is reduced to zero (or less), the packet MUST be discarded, and if the destination is not a multicast address the router MUST send an ICMP Time Exceeded message, Code 0 (TTL Exceeded in Transit) message to the source."

From the FortiGate point of view, the firewall VIP is seen as a logical IP address, and trigger a "routing" from the "external" address to the "mapped" address, and then the TTL algorithm from RFC1812 is used.

There is no way to disable the sending of ICMP TTL Exceeded in Transit message, as this behavior is compliant with the RFC1812.

Configuration

The extract of the configuration shows that there is a VIP defined between a real server (10.121.2.12 on VLAN121), and a virtual public IP address 172.31.224.125 on port2. Only HTTP traffic is allowed by the firewall policy port2 (any host) to the real server (VLAN121) through the VIP.

FG300A-6 # show firewall vip
config firewall vip
    edit "VIP_SERVER"
        set extip 172.31.224.125
        set extintf "port2"
        set mappedip 10.121.2.12
    next
end
config firewall policy
edit 0
        set srcintf "port2"
        set dstintf "VLAN121"
        set srcaddr "all"
        set dstaddr "VIP_SERVER"
        set action accept
        set schedule "always"
        set service "HTTP"
    next
end

Verification
From a host connected on port2, execute "traceroute 172.31.224.125"

The following outputs are captured on the FortiGate:

The FortiGate receives a packets from the traceroute tool, to the VIP, with a TTL of 1.

Internet Protocol Version 4, Src: 192.168.171.245 (192.168.171.245), Dst: 172.31.224.125 (172.31.224.125)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 60
    Identification: 0x1676 (5750)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 1
    Protocol: UDP (17)
    Header checksum: 0xaa00 [correct]
    Source: 192.168.171.245 (192.168.171.245)
    Destination: 172.31.224.125 (172.31.224.125)
User Datagram Protocol, Src Port: 37540 (37540), Dst Port: 33445 (33445)
Data (32 bytes)
0000  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0010  50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f   PQRSTUVWXYZ[\]^_

The FortiGate answers with an ICMP type=11, code=0 (Time To Live Exceeded in Transit)

Internet Protocol Version 4, Src: 172.31.224.125 (172.31.224.125), Dst: 192.168.171.245 (192.168.171.245)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 88
    Identification: 0xb38a (45962)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 255
    Protocol: ICMP (1)
    Header checksum: 0x0e1f [correct]
    Source: 172.31.224.125 (172.31.224.125)
    Destination: 192.168.171.245 (192.168.171.245)
Internet Control Message Protocol
    Type: 11 (Time-to-live exceeded)
    Code: 0 (Time to live exceeded in transit)
    Checksum: 0xee74 [correct]
    Internet Protocol Version 4, Src: 192.168.171.245 (192.168.171.245), Dst: 172.31.224.125 (172.31.224.125)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        Total Length: 60
        Identification: 0x1676 (5750)
        Flags: 0x00
        Fragment offset: 0
        Time to live: 1
        Protocol: UDP (17)
        Header checksum: 0xaa00 [correct]
        Source: 192.168.171.245 (192.168.171.245)
        Destination: 172.31.224.125 (172.31.224.125)
    User Datagram Protocol, Src Port: 37540 (37540), Dst Port: 33445 (33445)
    Data (32 bytes)
0000  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0010  50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f   PQRSTUVWXYZ[\]^_

Troubleshooting

But, what can be seen is that the traffic doesn't go through the FortiGate. There is no egress traffic on the VLAN121.

FG300A-6 # diagnose sniffer packet
any 'host 172.31.224.125 or host 10.121.2.12' 4 0 a
interfaces=[any]
filters=[host 172.31.224.125 or host 10.121.2.12]
2012-10-04 09:00:49.813967 port2 in arp who-has 172.31.224.125 tell 172.31.227.254
2012-10-04 09:00:49.813991 port2 out arp reply 172.31.224.125 is-at 0:9:f:85:b7:82
2012-10-04 09:00:49.814482 port2 in 192.168.171.245.52763 -> 172.31.224.125.33450: udp 32
2012-10-04 09:00:49.814549 port2 in 192.168.171.245.47048 -> 172.31.224.125.33451: udp 32
2012-10-04 09:00:49.814585 port2 in 192.168.171.245.53413 -> 172.31.224.125.33452: udp 32

diag debug flow show console
enable
diag debug flow filter proto 17
diag debug flow show trace start 100
id=36871 trace_id=141 msg="allocate a new session-00002467"
id=36871 trace_id=141 msg="find SNAT: IP-10.121.2.12(from IPPOOL), port-33446"
id=36871 trace_id=141 msg="VIP-10.121.2.12:33446, outdev-port2"
id=36871 trace_id=141 msg="DNAT 172.31.224.125:33446->10.121.2.12:33446"
id=36871 trace_id=141 msg="find a route: gw-10.121.2.12 via VLAN121"
id=36871 trace_id=141 msg="Denied by forward policy check"