Description
In case it is required to block ICMP Unreachable messages (Type3) due to security reasons (e.g. preventing BlackNurse attack) FortiGate administrator can use interface-policy to block ICMP type 3 messages.
This article describes how to configure FortiGate to filter ICMP type 3 messages (for the contextual sake we will block code 0, code 1 and code 3).
Type 3 Code 0 - Destination Unreachable Network Unreachable
Type 3 Code 1 - Destination Unreachable Host Unreachable
Type 3 Code 3 - Destination Unreachable Port Unreachable
Type 3 Code 4 - Destination Unreachable Fragmentation Needed and Don't Fragment was Set
Scope
All FortiGate.
Topology and Prerequisite:
- FGT1 and FGT2 allow communication between client network 192.168.11.0/24 and remote network 14.14.14.0/24.
- FGT2 has static blackhole route for the prefix 14.14.14.0/24.
- FGT1 has a static route for the prefix 14.14.14.0/24 pointing to FGT2 as the next-hop.
- FGT2 should block Type3 messages for every echo-request generated by client PC. 192.168.11.15 toward host in 14.14.14.0/24 subnet.
Solution
1) Configuring IPS signatures for Type3 Code0, Type3 Code1, Type3 Code3:
Custom signature syntax:
# F-SBID( --<option1> [<value1>]; --<option2> [<value2>];...)
F-SBID( --name "ICMP.type_3,code_0.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 0; )
F-SBID( --name "ICMP.type_3,code_1.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 1; )
F-SBID( --name "ICMP.type_3,code_3.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 3; )
F-SBID( --name "ICMP.type_3,code_4.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code ;4 )
FGT2 # config ips custom
FGT2 (custom) # edit Type3Code0
FGT2 (Type3Code0) # set signature "F-SBID( --name "ICMP.type_3,code_0.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 0; )"
FGT2 (Type3Code0) # next
FGT2 (custom) # edit Type3Code1
FGT2 (Type3Code1) # set signature "F-SBID( --name "ICMP.type_3,code_1.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 1; )"
FGT2 (Type3Code1) # next
FGT2 (custom) # edit Type3Code3
FGT2 (Type3Code3) # set signature "F-SBID( --name "ICMP.type_3,code_3.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 3; )"
FGT2 (Type3Code3) # next
FGT2 (Type3Code4) # set signature "F-SBID( --name "ICMP.type_3,code_4.Custom"; --protocol ICMP; --icmp_type 3; --icmp_code 4; )"
FGT2 (Type3Code)4 # next
FGT2 (Type3Code)4 # end
FGT2 (custom) # config ips custom
FGT2 (custom) # show
# config ips custom
edit "Type3Code0"
set signature "F-SBID( --attack_id 4931; --name ICMP.type_3,code_0.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 0; )"
set action block
set comment ''
next
edit "Type3Code1"
set signature "F-SBID( --attack_id 1771; --name ICMP.type_3,code_1.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 1; )"
set action block
set comment ''
next
edit "Type3Code3"
set signature "F-SBID( --attack_id 2315; --name ICMP.type_3,code_3.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 3; )"
set action block
set comment ''
next
edit "Type3Code4"
set signature "F-SBID( --attack_id 2316; --name ICMP.type_3,code_4.Custom; --protocol ICMP; --icmp_type 3; --icmp_code 4; )"
set action block
set comment ''
next
end
2) Configuring IPS sensor (rule numbers under 'set rule' are equal to attack_id from above):
# FGT2 (ICMP_Type3_Profile) # show
# config ips sensor
edit "ICMP_Type3_Profile"
config entries
edit 1
set rule 4931 1771 2315 2316
set status enable
set log-packet enable
set action block
next
end
next
end
3) Configuring interface-policy and applying policy to the FGT2’s interface facing FGT1:
# FGT2 (interface-policy) # show
# config firewall interface-policy
edit 1
set interface port3
set srcaddr "all"
set dstaddr "all"
set service "ALL_ICMP"
set ips-sensor-status enable
set ips-sensor "ICMP_Type3_Profile"
next
end
Verification.
Before applying firewall interface-policy:
# root@client:~# ping 14.14.14.14
PING 14.14.14.14 (14.14.14.14) 56(84) bytes of data.
From 20.20.20.20 icmp_seq=1 Destination Net Unreachable
From 20.20.20.20 icmp_seq=2 Destination Net Unreachable
From 20.20.20.20 icmp_seq=3 Destination Net Unreachable
From 20.20.20.20 icmp_seq=4 Destination Net Unreachable
FGT2 # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
4.285542 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
4.285671 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
5.286351 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
5.286471 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
6.287305 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
6.287385 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
7.289002 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
7.289060 port3 out 20.20.20.20 -> 192.168.11.15: icmp: net 14.14.14.14 unreachable
After applying firewall interface-policy:
# root@client:~# ping 14.14.14.14
PING 14.14.14.14 (14.14.14.14) 56(84) bytes of data.
^C
--- 14.14.14.14 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 6142ms
FGT2 # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
11.673391 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
12.694983 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
13.719047 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
14.743034 port3 in 192.168.11.15 -> 14.14.14.14: icmp: echo request
To verify in the GUI, go to Log & Report -> Intrusion Prevention:
