Technical Tip: Blocking ICMP Unreachable Messages on FortiSwitch

DPadula · ‎04-03-2025

Description

This article describes how to configure FortiSwitch to filter ICMP type 3 messages (for the contextual sake ICMP Type 3 code 3 will be blocked) on FortiSwitch to avoid them from reaching FortiGate.

To block ICMP Unreachable messages (Type3) due to security reasons (e.g. preventing BlackNurse attack):

Type 3 Code 0 - Destination Unreachable Network Unreachable
Type 3 Code 1 - Destination Unreachable Host Unreachable
Type 3 Code 3 - Destination Unreachable Port Unreachable
Type 3 Code 4 - Destination Unreachable Fragmentation Needed and Don't Fragment was Set

Check the article Troubleshoot Tip: How ip-conn Log ID 0000000011 dns logs are generated to understand how FortiGate ip-conn app='DNS' logs are generated.

Scope

FortiSwitch.

Solution

The following diagram shows how FortiSwitch and FortiGate connect.

network diagram.PNG

If for example, an ICMP packet with Type 3 and code 1 reaches FortiGate (FG01) it will generate a ip-conn log message as described in the article Troubleshoot Tip: How ip-conn Log ID 0000000011 dns logs are generated

If FortiGate is connected to a FortiAnalyzer and has multiple computers generating such ICMP messages FortiAnalyzer will have multiple logs 'IP Connection error'.

faz ip-conn fields.png

Add the following command on FortiSwitch to block ICMP Type 3 code 3. Codes 0, ,1, and 4 can also be added if necessary.

FortiSwitch01# config switch acl service custom
edit "ICMP_Type3"
set protocol ICMP
set icmptype 3
set icmpcode 3
next
end

FortiSwitch01# config switch acl ingress
edit 1
config action
set count enable
set drop enable
end
config classifier
set service "ICMP_Type3"
end
set ingress-interface-all enable
next
end

Related articles:

Technical Tip: Blocking ICMP Unreachable Messages by using interface-policy

Technical Tip: DNS error logs showing in FortiAnalyzer

Technical Tip: Blocking ICMP Unreachable Messages on FortiSwitch

You are leaving our website