Fortigate Allow PING from specific IP for Administrative purpose

Posted on by yuk

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38540

Technical Note: Allow PING from specific IP for Administrative purpose
Products
FortiGate v5.0
FortiGate v5.2
Description
Sometimes need to allow the PING service on the Interface, but by doing this we are allowing it for everyone, this could not be desirable specially for WAN interfaces which connect to Internet.
Solution
Configuration example to permit ping from IP 192.168.157.80 and to block ping from any other source.

1. Configure interface WAN1 to permit management, protocols including ping

config system interface
    edit “wan1”
        set ip 192.168.157.78 255.255.255.0
        set allowaccess ping https ssh http telnet

 2. Create Firewall Address Objects for the IP that will be permitted and the WAN1 IP interface

 config firewall address
    edit “PING-ALLOWED”
        set associated-interface “wan1”
        set subnet 192.168.157.80 255.255.255.255
    next
            edit “IP-WAN1”
        set associated-interface “wan1”
        set subnet 192.168.157.78 255.255.255.255
    next
end

 3. Create the Firewall Local in Policies

 config firewall local-in-policy
    edit 1
        set intf “wan1”
        set srcaddr “PING-ALLOWED”
        set dstaddr “IP-WAN1”
        set action accept
        set service “ALL_ICMP”
        set schedule “always”
        set auto-asic-offload disable
    next
     edit 10
        set intf “wan1”
        set srcaddr “all”
        set dstaddr “all”
        set action deny
        set service “ALL_ICMP”
        set schedule “always”
        set auto-asic-offload disable
        set status enable
    next
end

4. Run sniffer packet filter HOST 192.168.157.80 and ICMP

FGT-JDR-01 # diag sniffer packet WAN1 ‘host 192.168.157.80 and icmp’ 4
interfaces=[any]
filters=[host 192.168.157.80 and icmp]
17.815713 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
17.815858 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
18.822895 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
18.822955 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
19.831082 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
19.831150 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply
48.692297 wan1 in 192.168.157.80 -> 192.168.157.77: icmp: echo request
48.692368 wan1 out 192.168.157.77 -> 192.168.157.80: icmp: echo reply

5. Run sniffer packet for any ICMP packet on interface WAN1. Confirm that no ICMP replies are sent by the FortiGate.

FGT-JDR-01 # diag sniffer packet any ‘icmp’ 4
interfaces=[any]
filters=[icmp]
17.806037 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request
20.586094 wan1 in 208.91.112.53 -> 192.168.157.77: icmp: 208.91.112.53 udp port 53 unreachable
22.353097 wan1 in 192.168.157.207 -> 192.168.157.77: icmp: echo request