FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 193708
Article
Description Preventing the public FortiGate interface from responding to ping requests.
Components
  • All FortiGate units
  • FortiOS 2.8
  • FortiOS 3.0
  • FortiOS 4.0
Steps or Commands

The factory default configuration of your FortiGate unit allows the default public interface to respond to ping requests. The default public interface is also called the default external interface, and is the interface of the FortiGate unit that is usually connected to the Internet. Depending on the model of your FortiGate unit the actual name of this interface will vary.

For the most secure operation, you should change the configuration of the external interface so that it does not respond to ping requests. Not responding to ping requests makes it more difficult for a potential attacker to detect your FortiGate unit from the Internet. One such potential threat are Denial of Service (DoS) attacks, such as a smurf attack, that is designed to overwhelm your network systems.

Depending on the FortiGate unit, the default public interface can be the external or WAN1 interface. In some FortiGate models the default external interface has a port number, such as Port 2. See the FortiGate QuickStart Guide or the FortiGate Installation Guide for your FortiGate model if you are not sure which interface is the default external interface.

A FortiGate unit responds to ping requests if ping administrative access is enabled for that interface. You can use the following procedures to disable ping access for the external interface of a FortiGate unit. You can use the same procedures for any FortiGate interface. You can also use the same procedure in NAT/Route or Transparent mode.

To disable ping administrative access from the web-based manager

  1. Login to the FortiGate web-based manager.
  2. Go to System>Network>Interface.
  3. Choose the external interface and select Edit.
  4. Clear the Ping Administrative Access check box.
  5. Select OK to save the changes.

To disable ping administrative access from the FortiGate CLI

(Note: Only HTTPS access will be enabled.)

  1. Login to the FortiGate CLI.
  2. Disable administrative access to the external interface. Enter:

    config system interface
      edit external
          set allowaccess https
    end