Description
Under some conditions, issues in delivery of IP packets to their destination can occur. ICMP error messages are used to feedback the source with the origin of the problem encountered.
This article explains the FortiGate system behavior with regards to various ICMP message types.
Scope
Solution
The general behavior of the FortiGate firewall policy is the following :
- The ICMP messages with type ICMP_ECHO, ICMP_TIMESTAMP, ICMP_INFO_REQUEST, and ICMP_ADDRESS will require a firewall policy that allows them to be routed or forwarded (or blocked) by the FortiGate unit. If allowed, those packets will generate a new session.
The reply message for these ICMP informational messages can only pass through the FortiGate unit, if a corresponding session is found. Otherwise, the packets are dropped.
- For ICMP error messages, there is an implicit processing, where only those reporting an error for an existing session can pass through the firewall. Otherwise, the packets are dropped. Common error messages could be:
- Destination Unreachable Messages
- Time Exceeded Messages
- Redirect Messages
Below are some examples, based on the following scenario, which shows that the FortiGate unit in NAT mode, which allows ICMP Destination Unreachable Messages back to the source device:
.10 .106 .106 .110
[ PC1 ] ------ internal---- [ FortiGate ] ---- wan1----- [ Router1 ]
[ PC2 ]
.132
10.160.0.0/23 192.168.182.0/23 |
The FortiGate unit has got only one firewall policy allowing TFTP from internal to wan1 :
FGT# show firewall policy
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "TFTP"
next
end |
- Scenario 1 : PC1 tries to open a TFTP session to PC2 where this UDP port is not opened. The sniffer trace below shows the ICMP port unreachable message sent back to the source through the FortiGate unit.
FGT # diagnose sniffer packet any "host 10.160.0.10 or icmp" 4
3.677808 internal in 10.160.0.10.1262 -> 192.168.182.132.69: udp 20
3.677960 wan1 out 10.160.0.10.1262 -> 192.168.182.132.69: udp 20
3.678465 wan1 in 192.168.182.132 -> 10.160.0.10: icmp: 192.168.182.132 udp port 69 unreachable
3.678519 internal out 192.168.182.132 -> 10.160.0.10: icmp: 192.168.182.132 udp port 69 unreachable
|
- Scenario 2 : PC1 tries to reach a destination that is not reachable after Router1. The sniffer trace below shows the ICMP network unreachable message sent back to the source through the FortiGate unit.
FGT # diagnose sniffer packet any "host 10.160.0.10 or icmp or port 69" 4
2.234765 internal in 10.160.0.10.1287 -> 10.2.2.1.69: udp 20
2.234908 wan1 out 10.160.0.10.1287 -> 10.2.2.1.69: udp 20
2.235164 wan1 in 10.1.0.1 -> 10.160.0.10: icmp: net 10.2.2.1 unreachable
2.235208 internal out 10.1.0.1 -> 10.160.0.10: icmp: net 10.2.2.1 unreachable
|
