Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
beaven67
New Contributor

Created on ‎12-18-2014 08:05 AM

Disable ICMP type 3 messages?

Is there a way to just disable icmp type 3 messages. I still want echo and echo replies just not unreachables.

Anyone know,

Pat Beaven

6645
0 Kudos
3 REPLIES 3
emnoc
Esteemed Contributor III

Created on ‎12-25-2014 10:40 AM

I was not under the impression the fortigate sent  icmp unreachable directly. Can you explain what's sending the icmp.Code type 3 message? The fortigate ? or something down wind?

 

 

 

PCNSE 

NSE 

StrongSwan  

1510
0 Kudos
beaven67
New Contributor
In response to emnoc

Created on ‎12-29-2014 10:24 AM

I believe the device behind the firewall sends the icmp unreachable. I want to filter out these but see no way of doing so at this point?

emnoc wrote:

I was not under the impression the fortigate sent  icmp unreachable directly. Can you explain what's sending the icmp.Code type 3 message? The fortigate ? or something down wind?

 

 

 

1510
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎12-29-2014 10:34 AM

The diagnostic command diag debug flow is your friend, traffic allow by the fwpolicy , will only allow what's allowed.

So I bet you have ALL/ANY or icmp-any allowed by the policy on what ever is sending the icmp.Code.Type 3

 

I would audit my  fwpolicies & review my security layout. You should have no valid reason unlessed design for a host behind to have icmp.type 3s exiting your network imho

 

 

 

PCNSE 

NSE 

StrongSwan  

1510
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.