Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zhuo
New Contributor III

Created on ‎04-15-2024 06:50 PM

Blocks ICMP Error Reporting Packets

How Fortinet Blocks ICMP Error Reporting Packets

 

thanks.

Labels:
211
0 Kudos
1 Solution
Zhuo
New Contributor III
In response to ebilcari

Created on ‎04-16-2024 01:05 AM

The test topology is as follows:

96a159f74070bacb821244bcbd8a72a.png

The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).

 

I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.

Zhuo_2-1713254718111.png

 

 

View solution in original post

165
4 REPLIES 4
ebilcari
Staff
Staff

Created on ‎04-16-2024 12:37 AM

You can check this article that covers this topic more in detail.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
178
Zhuo
New Contributor III
In response to ebilcari

Created on ‎04-16-2024 01:05 AM

The test topology is as follows:

96a159f74070bacb821244bcbd8a72a.png

The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).

 

I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.

Zhuo_2-1713254718111.png

 

 

166
ebilcari
Staff
Staff
In response to Zhuo

Created on ‎04-16-2024 02:15 AM Edited on ‎04-16-2024 02:18 AM

Thanks for sharing your findings. This looks like another elegant way of achieving the same result using a custom service and ACL:

icmp-type.png

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
144
Zhuo
New Contributor III

Created on ‎04-16-2024 01:04 AM

The test topology is as follows:

 

The L3 layer switch will tell the fortigate Unreachable, and what we have to do is not to interfere with the L3 layer switch sending the packet to the fortigate. We need to reject the Unreachable packet in the fortigate (equivalent to forwarding traffic).

 

I have tested the results. Firewall ACL is used in fortigate to prevent Unreachable from being sent to the client. Note: It is not a firewall policy, but a firewall ACL. Just define the icmp service type3 code1.

1713254284649.png

 
167
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.