Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zhuo
New Contributor III

Created on ‎04-15-2024 06:50 PM

Blocks ICMP Error Reporting Packets

How Fortinet Blocks ICMP Error Reporting Packets

 

thanks.

Labels:
662
1 Solution
Zhuo
New Contributor III
In response to ebilcari

Created on ‎04-16-2024 01:05 AM

The test topology is as follows:

96a159f74070bacb821244bcbd8a72a.png

The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).

 

I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.

Zhuo_2-1713254718111.png

 

 

View solution in original post

616
4 REPLIES 4
ebilcari
Staff
Staff

Created on ‎04-16-2024 12:37 AM

You can check this article that covers this topic more in detail.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
629
Zhuo
New Contributor III
In response to ebilcari

Created on ‎04-16-2024 01:05 AM

The test topology is as follows:

96a159f74070bacb821244bcbd8a72a.png

The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).

 

I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.

Zhuo_2-1713254718111.png

 

 

617
ebilcari
Staff
Staff
In response to Zhuo

Created on ‎04-16-2024 02:15 AM Edited on ‎04-16-2024 02:18 AM

Thanks for sharing your findings. This looks like another elegant way of achieving the same result using a custom service and ACL:

icmp-type.png

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
595
Zhuo
New Contributor III

Created on ‎04-16-2024 01:04 AM

The test topology is as follows:

 

The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).

 

I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.

1713254284649.png

 
618
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.