https://kb.fortinet.com/kb/documentLink.do?externalID=FD38540
FortiGate v5.0 |
FortiGate v5.2 |
Sometimes need to allow the PING service on the Interface, but by doing this we are allowing it for everyone, this could not be desirable specially for WAN interfaces which connect to Internet.
Configuration example to permit ping from IP 192.168.157.80 and to block ping from any other source.1. Configure interface WAN1 to permit management, protocols including ping
config system interface
edit “wan1”
set ip 192.168.157.78 255.255.255.0
set allowaccess ping https ssh http telnet2. Create Firewall Address Objects for the IP that will be permitted and the WAN1 IP interface
config firewall address
edit “PING-ALLOWED”
set associated-interface “wan1”
set subnet 192.168.157.80 255.255.255.255
next
edit “IP-WAN1”
set associated-interface “wan1”
set subnet 192.168.157.78 255.255.255.255
next
end3. Create the Firewall Local in Policies
config firewall local-in-policy
edit 1
set intf “wan1”
set srcaddr “PING-ALLOWED”
set dstaddr “IP-WAN1”
set action accept
set service “ALL_ICMP”
set schedule “always”
set auto-asic-offload disable
next
edit 10
set intf “wan1”
set srcaddr “all”
set dstaddr “all”
set action deny
set service “ALL_ICMP”
set schedule “always”
set auto-asic-offload disable
set status enable
next
end4. Run sniffer packet filter HOST 192.168.157.80 and ICMP
FGT-JDR-01 # diag sniffer packet WAN1 ‘host 192.168.157.80 and icmp’ 4
interfaces=[any]
filters=[host 192.168.157.80 and icmp]
17.815713 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
17.815858 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
18.822895 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
18.822955 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
19.831082 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
19.831150 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
48.692297 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
48.692368 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply5. Run sniffer packet for any ICMP packet on interface WAN1. Confirm that no ICMP replies are sent by the FortiGate.
FGT-JDR-01 # diag sniffer packet any ‘icmp’ 4
interfaces=[any]
filters=[icmp]
17.806037 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request
20.586094 wan1 in 208.91.112.53 -> 192.168.157.77: icmp: 208.91.112.53 udp port 53 unreachable
22.353097 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request