FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Benoit_Rech_FTNT
Purpose

The purpose of this article is to depict why the FortiGate answers to traceroute on the VIP addresses, while such traffic is not allowed by the firewall policies.


Scope

Firewall VIP, and traceroute 


Diagram
brech_FD33838_vip_traceroute.png

Expectations, Requirements

Some security tools report that VIP addresses "answer" to traceroute requests, while ICMP_ANY or UDP traffics are not allowed by the firewall policies.

The traceroute tool relies on the TTL field in the IP header, which is contained in UDP packets. This TTL counter is decremented each time the packet is going through a router. While this counter is 1 or less, then the router must send an ICMP type=11, code=0 (Time Exceeded). The traceroute uses this ICMP message to figure out which host it encountered.

According to the RFC1812,

"If the TTL is reduced to zero (or less), the packet MUST be discarded, and if the destination is not a multicast address the router MUST send an ICMP Time Exceeded message, Code 0 (TTL Exceeded in Transit) message to the source."

From the FortiGate point of view, the firewall VIP is seen as a logical IP address, and trigger a "routing" from the "external" address to the "mapped" address, and then the TTL algorithm from RFC1812 is used.

There is no way to disable the sending of ICMP TTL Exceeded in Transit message, as this behavior is compliant with the RFC1812.


Configuration
The extract of the configuration shows that there is a VIP defined between a real server (10.121.2.12 on VLAN121), and a virtual public IP address 172.31.224.125 on port2. Only HTTP traffic is allowed by the firewall policy port2 (any host) to the real server (VLAN121) through the VIP.
FG300A-6 # show firewall vip config firewall vip     edit "VIP_SERVER"         set extip 172.31.224.125         set extintf "port2"         set mappedip 10.121.2.12     next end config firewall policy edit 0         set srcintf "port2"         set dstintf "VLAN121"         set srcaddr "all"         set dstaddr "VIP_SERVER"         set action accept         set schedule "always"         set service "HTTP"     next end


Verification
From a host connected on port2, execute "traceroute 172.31.224.125"

The following outputs are captured on the FortiGate:

The FortiGate receives a packets from the traceroute tool, to the VIP, with a TTL of 1.
Internet Protocol Version 4, Src: 192.168.171.245 (192.168.171.245), Dst: 172.31.224.125 (172.31.224.125)
    Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 60
Identification: 0x1676 (5750)
Flags: 0x00
Fragment offset: 0
Time to live: 1
Protocol: UDP (17)
Header checksum: 0xaa00 [correct]
Source: 192.168.171.245 (192.168.171.245)
Destination: 172.31.224.125 (172.31.224.125)
User Datagram Protocol, Src Port: 37540 (37540), Dst Port: 33445 (33445)
Data (32 bytes)
0000 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO
0010 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f PQRSTUVWXYZ[\]^_

The FortiGate answers with an ICMP type=11, code=0 (Time To Live Exceeded in Transit)
Internet Protocol Version 4, Src: 172.31.224.125 (172.31.224.125), Dst: 192.168.171.245 (192.168.171.245)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 88
Identification: 0xb38a (45962)
Flags: 0x00
Fragment offset: 0
Time to live: 255
Protocol: ICMP (1)
Header checksum: 0x0e1f [correct]
Source: 172.31.224.125 (172.31.224.125)
Destination: 192.168.171.245 (192.168.171.245)
Internet Control Message Protocol
Type: 11 (Time-to-live exceeded)
Code: 0 (Time to live exceeded in transit)

Checksum: 0xee74 [correct]
Internet Protocol Version 4, Src: 192.168.171.245 (192.168.171.245), Dst: 172.31.224.125 (172.31.224.125)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 60
Identification: 0x1676 (5750)
Flags: 0x00
Fragment offset: 0
Time to live: 1
Protocol: UDP (17)
Header checksum: 0xaa00 [correct]
Source: 192.168.171.245 (192.168.171.245)
Destination: 172.31.224.125 (172.31.224.125)
User Datagram Protocol, Src Port: 37540 (37540), Dst Port: 33445 (33445)
Data (32 bytes)
0000 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO
0010 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f PQRSTUVWXYZ[\]^_


Troubleshooting
But, what can be seen is that the traffic doesn't go through the FortiGate. There is no egress traffic on the VLAN121.

FG300A-6 # diagnose sniffer packet any 'host 172.31.224.125 or host 10.121.2.12' 4 0 a interfaces=[any] filters=[host 172.31.224.125 or host 10.121.2.12] 2012-10-04 09:00:49.813967 port2 in arp who-has 172.31.224.125 tell 172.31.227.254 2012-10-04 09:00:49.813991 port2 out arp reply 172.31.224.125 is-at 0:9:f:85:b7:82 2012-10-04 09:00:49.814482 port2 in 192.168.171.245.52763 -> 172.31.224.125.33450: udp 32 2012-10-04 09:00:49.814549 port2 in 192.168.171.245.47048 -> 172.31.224.125.33451: udp 32 2012-10-04 09:00:49.814585 port2 in 192.168.171.245.53413 -> 172.31.224.125.33452: udp 32

diag debug flow show console enable diag debug flow filter proto 17 diag debug flow show trace start 100 id=36871 trace_id=141 msg="allocate a new session-00002467" id=36871 trace_id=141 msg="find SNAT: IP-10.121.2.12(from IPPOOL), port-33446" id=36871 trace_id=141 msg="VIP-10.121.2.12:33446, outdev-port2" id=36871 trace_id=141 msg="DNAT 172.31.224.125:33446->10.121.2.12:33446" id=36871 trace_id=141 msg="find a route: gw-10.121.2.12 via VLAN121" id=36871 trace_id=141 msg="Denied by forward policy check"


Contributors