Hi,
I need to block just ICMP Type 3 Code 3 messages (port unreachable) getting from PC1.
PC1==Port4--[FGT-300D]--Port1==PC2
I have created a custom Service ICMP_type3_code3 ans a policy to deny traffic from PC1 to PC2. But still those ICMP are allowed.
The command : diagnose sniffer packet any "host PC1 and PC2" 4
shows the message "port1 out PC1 -> PC2: icmp: PC1 udp port 161 unreachable"
I have the same result when I denied ICMP_ALL.
Can anyone lt me know ho fix that, please ?
Many tnaks.
Abmas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
the cli diag debug flow is your best friend. This will ensure your fw-policy and the right matching ingress/egress interfaces are actually matched.
PCNSE
NSE
StrongSwan
Hello,
This ICMP packet is to reply to a udp packet port 161 received by PC1. So there is first a udp session open on FGT by this udp packet coming from PC2 and this ICMP reply is part of this session. When received by the FGT, the FGT will look inside the ICMP packet, will find the UDP header/payload inside this ICMP packet and it will match an existing session. So it will go through the FGT. You can not block this packet with a deny policy from port4 to port1 as it is a reply packet to an existing session on the FGT
Thanks
But if you blocked udp/161, wouldn't the ICMP messages stop then? Depends on which device generates the message, and I think it's the second PC which refuses requests to udp/161 and replies with "port unreachable".
I agreed with the later response ( ede )
I believe you have another means for dropping these icmp.types ( via a IPS custom signature ) but controlling the traffic flow via the firewall.policy is the correct and smart way and kills the problem at the root.
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1629 | |
1060 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.