The test topology is as follows:
The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).
I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.
You can check this article that covers this topic more in detail.
The test topology is as follows:
The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).
I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.
Thanks for sharing your findings. This looks like another elegant way of achieving the same result using a custom service and ACL:
The test topology is as follows:
The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).
I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.
User | Count |
---|---|
1906 | |
1141 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.