Disabling ICMP Timestamp Replies from FortiAP on LAN

fionaC · ‎04-08-2025

Does anyone know how to disable ICMP timestamp replies from FortiAPs? My FortiAPs are connected to my LAN, and I have Fortiswitches. Polices do not seem to work - my guess is because the traffic is being routed by the switches and not going through the firewall?

AEK · ‎04-08-2025

If I'm not wrong the an ICMP timestamp reply is a response to an ICMP timestamp request, right?

In that case then you just need to add a firewall rule to deny ICMP requests from the desired source to the FortiAPs.

This is because I don't know a way to allow ICMP requests and in the same time to deny ICMP replies. As far as I know this is how stateful firewalls are designed.

AEK

fionaC · ‎04-09-2025

For some reason, that does not work. I am wondering if it is because the APs and the host are on the same LAN, and therefore the traffic is not routed through the Fortigate.

Toshi_Esumi · ‎04-09-2025

It wouldn't go through the FGT. It's directly sent to AP by MAC address found in ARP.

Toshi

AEK · ‎04-09-2025

Then I guess it is possible just by disabling the ping on the related SSID interface.

AEK

Toshi_Esumi · ‎04-09-2025

I think it's about FAP's management interface, not SSIDs.

Toshi

Disabling ICMP Timestamp Replies from FortiAP on LAN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website