FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JohnDevNet_FTNT
Article Id 198040

Description

 
This article describes how to allow the ping service from only one IP. Sometimes it is necessary to allow the ping service on the Interface, but this can open up potential security vulnerabilities, which is not desirable; especially for WAN interfaces which connect to the Internet.
 
Scope
 
FortiGate.


Solution

 
Below is a configuration example to permit pings from IP 192.168.157.80 and to block pings from any other source.
 
  1. Configure the WAN1 interface to permit management protocols, including ping:
 
config system interface
    edit "wan1"
        set ip 192.168.157.78 255.255.255.0
        set allowaccess ping https ssh http telnet
 
Alternatively, configure this in the GUI as follows:

Wan1.PNG
 
  1. Create Firewall Address Objects for the IP that will be permitted and the WAN1 IP interface:
 
config firewall address
    edit "PING-ALLOWED"
        set associated-interface "wan1"
        set subnet 192.168.157.80 255.255.255.255
    next
            edit "IP-WAN1"
        set associated-interface "wan1"
        set subnet 192.168.157.78 255.255.255.255
    next
end
 
Alternatively, configure this in the GUI as follows:

Firewall Address.PNG

 

Firewall Address1.PNG
 
  1. Create the Firewall Local in Policies.

    A
    local-in-policy is only possible to create via CLI. However, the local-in-policy feature can be enabled in feature visibility in the GUI, but only for viewing purposes: it cannot be edited.

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "PING-ALLOWED"
        set dstaddr "IP-WAN1"
        set action accept
        set service "ALL_ICMP"
        set schedule "always"
        set auto-asic-offload disable
    next
     edit 10
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "ALL_ICMP"
        set schedule "always"
        set auto-asic-offload disable
        set status enable
    next
end

 

feature visibility.PNG

 

  1. Run sniffer packet filter HOST 192.168.157.80 and ICMP

diag sniffer packet WAN1 'host 192.168.157.80 and icmp' 4
interfaces=[any]
filters=[host 192.168.157.80 and icmp]
17.815713 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
17.815858 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
18.822895 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
18.822955 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
19.831082 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
19.831150 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
48.692297 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
48.692368 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply

 
  1. Run a sniffer packet for any ICMP packet on interface WAN1. Confirm that no ICMP replies are sent by the FortiGate

diag sniffer packet any 'icmp' 4
interfaces=[any]
filters=[icmp]
17.806037 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request
20.586094 wan1 in 208.91.112.53 -> 192.168.157.77: icmp: 208.91.112.53 udp port 53 unreachable
22.353097 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request