Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- ICMP exceeded routing problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ICMP exceeded routing problem
IF this 1st post is not clear, please go to network diagram below
Hello,
I would like to understand a strange behaviour that occured on fortigate (version 4.0 & 4.0 MR2) :
In my infrastructure I do have a router which is routing in static mode a public subnet (let' s call it SUB1) to my fortigate. On this fortigate I have configure several VIP. My DG is the router.
For normal trafic (http ftp request...) if the requested IP is in SUB1 but not configured as a VIP, the firewall doesn' t answer the request and drop the packet.
What gives me problem is the behaviour that I have found for ICMP code 11 TTL exceeded. Indeed if someone " steal" an unused IP address of SUB1 as its source IP to reach IPX and that the TTL of the packet expires in transit, an answer is sent back to my fortigate.
When receiving an ICMP ttl exceeded packet for a destination to SUB1 (not used as a VIP), the fortigate doesn' t drop the packet, but send it back to my router (using it' s default gateway), and then the router resend it back to the firewall and so on.
Does someone know if there is a way to avoid this behaviour (and simply drop the packet)
Thanks
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello !
So the returning TTL expired messages ( icmp type11 ) is coming to your FGT, and it' s doing it' s job by dropping this trafficThat is what I would expect, but no, the fortigate doesn' t drop this particular type of trafic nut returns it to its default gateway (the router). For all other type of trafic I' ve tested (tcp / udp / icmp other types), the fortigate indeed drop trafic.
1> ( the most easiest ), is to enable unicast verification aka RPF checksEnabling unicast verification at the router would not solve this problem, as the incoming packet is coming from IP 15.15.15.15 to IP 92.92.92.90 and is (and will always be) a right formed packet at the router level. With ACL on my router I can drop icmp type11 packets but this would mean that traceroute would not work any longer. If the fortigate isn' t able to drop these packets I should maybe think of it
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nicovpp:
I would file a support case with Fortinet to make them aware of this. IMHO it' s a bug, and if Fortinet thinks it' s not it would be interesting to hear why not.
@emnoc:
I still think that the border router at the remote ISP should implement RPF. I estimate that a huge portion of these routers are Cisco models, and you showed how easy it is to implement RPF. Of course it' s not mandatory to filter but it' s a best practise to quench fake source address exploits.
And as this special kind of traffic generates senseless round-trip traffic on the customer' s side it would be reasonable to implement RPF.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done :)
I have opened a ticket at support and will keep you informed about the resolution
Thanks for your answers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enabling unicast verification at the router would not solve this problem, as the incoming packet is coming from IP 15.15.15.15 to IP 92.92.92.90 and is (and will always be) a right formed packet at the router level. With ACL on my router I can drop icmp type11 packets but this would mean that traceroute would not work any longer. If the fortigate isn' t able to drop these packets I should maybe think of itSo if that' s the case, than what is your concern? The firewall is doing it' s job and will maintain state. You should not need to enable icmp diagnostic packets imho.
I still think that the border router at the remote ISP should implement RPF. I estimate that a huge portion of these routers are Cisco models, and you showed how easy it is to implement RPF. Of course it' s not mandatory to filter but it' s a best practise to quench fake source address exploits. And as this special kind of traffic generates senseless round-trip traffic on the customer' s side it would be reasonable to implement RPF.best practices and what really happens, is a far stretch at best. If all CE devices supported rpf checks and implemented them, then the internet would be way much safer and intentional or un-intentional leakage would not happen. But that is not going to happen in today' s internet and nor would I expect the ISP to enable RPF checks for validation of source address [:' (]
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,706 -
FortiClient
1,766 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
434 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.