Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abmas
New Contributor

Created on ‎08-19-2016 09:13 AM

How to block ICMP Type 3 Code 3 messages : udp port 161 unreachable

Hi,

I need to block just ICMP Type 3 Code 3 messages (port unreachable) getting from PC1. 

PC1==Port4--[FGT-300D]--Port1==PC2

I have created a custom Service ICMP_type3_code3 ans a policy to deny traffic from PC1 to PC2. But still those ICMP are allowed.

The command : diagnose sniffer packet any "host PC1 and PC2" 4

shows the message "port1 out PC1 -> PC2: icmp: PC1 udp port 161 unreachable"

 

I have the same result when I denied ICMP_ALL.

 

Can anyone lt me know ho fix that, please ?

 

Many tnaks.

Abmas

7567
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎08-20-2016 07:04 PM

the cli diag debug flow is your best friend. This will ensure your fw-policy and  the right matching ingress/egress interfaces are actually matched.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2882
0 Kudos
jhouvenaghel_FTNT
Staff
Staff
In response to emnoc

Created on ‎08-22-2016 01:37 AM

Hello,

 

This ICMP packet is to reply to a udp packet port 161 received by PC1. So there is first a udp session open on FGT by this udp packet coming from PC2 and this ICMP reply is part of this session. When received by the FGT, the FGT will look inside the ICMP packet, will find the UDP header/payload inside this ICMP packet  and it will match an existing session. So it will go through the FGT. You can not block this packet with a deny policy from port4 to port1 as it is a reply packet to an existing session on the FGT

 

Thanks

2883
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to jhouvenaghel_FTNT

Created on ‎08-22-2016 02:28 AM

But if you blocked udp/161, wouldn't the ICMP messages stop then? Depends on which device generates the message, and I think it's the second PC which refuses requests to udp/161 and replies with "port unreachable".

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2883
0 Kudos
emnoc
Esteemed Contributor III
In response to ede_pfau

Created on ‎08-22-2016 10:15 AM

I agreed with the later response ( ede )

 

I believe you have another means for dropping these icmp.types ( via a IPS custom signature )  but controlling the traffic flow via the firewall.policy is the correct and smart way and kills the problem at the root.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2883
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.