Disable Ping to Servers

lyberis19179 · ‎11-18-2016

Dear all good Morning,

Im having the fortigate 100D model with the 5.4.1 firmware and I'm wondering how to disable the ping to my servers that are in my network. The scenarios are the following.

Block from outside to internal --> scan and ping

Block from internal lan --> scan and ping

My network is a 192.168.0.0/20 // my servers are in 192.168.1.0/20

Any ideas would be helpful. Hope to return the help in future posts.

ede_pfau · ‎11-19-2016

hi,

and welcome to the forums.

I hope I get what your question is about - if not, please clarify.

How do you block ping (ICMP) from WAN to internal?

well, as long as you don't ALLOW it explicitly it won't reach your servers. I assume you have VIPs for remote access to internal servers. If these VIPs are port forwarding ICMP is not translated unless you set the 'set protocol icmp' option. Same for the policy the VIP is used in, if 'service' doesn't contain ICMP/ping this traffic will be blocked.

ping from internal host to internal host/server

This is different. As long as both hosts are within the same subnet their traffic will not cross the FGT, and thus cannot be controlled. This is the main reason why you would put a server (or a server farm) onto it's own subnet and FGT port - full control on the traffic going to and coming from the servers.

If your main concern is ICMP flooding (port scans using ICMP) then primarily the same applies. You only have to take action if you want to allow pings by default. Then, ICMP flooding can be caught by a DoS sensor.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

lyberis19179 · ‎11-23-2016

That covers it all. Thanks for the explanation mate.