Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
squid-c
New Contributor II

Created on ‎03-23-2024 07:06 PM

Fortigate is not sending icmp redirects.

Fortigate is not sending icmp redirects.
"icmp-send-redirect" is setting enable.
I would like to be able to send ICMP redirects using the case 2 pattern.
If the PC is in the same segment as the FW,ICMP redirect responses are possible.
However, if there is a router between the PC and the FW and they are on different segments,
ICMP redirect responses will not be received.

 

Q
Aren't ICMP redirects sent to another segment?How does it work?


Case 1
In this case, the FW sent an ICMP redirect.

PCâ‘ ------[FWâ‘ ]------PCâ‘¡
   |
   ----[FW②]------PC③

setting
PC①:192.168.1.1/24
PC②:192.168.2.1/24
PC③:192.168.3.1/24

routing
PCâ‘ : Default gateway is FWâ‘ 
FWâ‘ : Setting static route "Gateway of destination PCâ‘¢ is FWâ‘¡"

 

Case 2
PCâ‘ ----[RTâ‘ ]------[FWâ‘ ]------PCâ‘¡
        |
        ----[FW②]------PC③
setting
PC①:192.168.1.1/24
PC②:192.168.2.1/24
PC③:192.168.3.1/24
RT①:Do not use NAT

routing
PCâ‘ : Default gateway is RTâ‘ 
FWâ‘ : Setting static route "Gateway of destination PCâ‘¢ is FWâ‘¡"
FWâ‘¡: Setting static route "Gateway of destination PCâ‘  is RTâ‘ "

 

Thanks

Labels:
1019
0 Kudos
1 Solution
Dhruvin_patel
Staff
Staff

Created on ‎03-24-2024 07:21 AM

Greetings,

 

You would like to use ICMP redirect to inform the host about the better next hop to reach a certain destination.

 

First of all, enable the following settings on the interface, 

 

# config system interface

   edit "interface_name"

      set icmp-accept-redirect enable

      set icmp-send-redirect enable

   next

 

Afterward, make sure that the ICMP redirect is allowed on the Layer-3 router.

 

Still it fails, capture the packet on a port using this document and verify that the FortiGate is responding, https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1... 

 

Regards,

If you have found a solution, please like and accept it to make it easily accessible to others.

Dhruvin Patel

View solution in original post

972
1 REPLY 1
Dhruvin_patel
Staff
Staff

Created on ‎03-24-2024 07:21 AM

Greetings,

 

You would like to use ICMP redirect to inform the host about the better next hop to reach a certain destination.

 

First of all, enable the following settings on the interface, 

 

# config system interface

   edit "interface_name"

      set icmp-accept-redirect enable

      set icmp-send-redirect enable

   next

 

Afterward, make sure that the ICMP redirect is allowed on the Layer-3 router.

 

Still it fails, capture the packet on a port using this document and verify that the FortiGate is responding, https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1... 

 

Regards,

If you have found a solution, please like and accept it to make it easily accessible to others.

Dhruvin Patel
973
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.