FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 198261
Description
Ping and tracert/traceroute are often used to monitor network connectivity.
Tracert/traceroute is a simple tool to show the pathway to a remote server.

However, timeouts may sometimes be seen to happen intermittently when performing tracert/traceroute over a FortiGate.

Solution
This behavior is expected as FortiGate will only response to one TTL expired packet to one source per one second.
Starting from FortiOS 6.2.8/6.4.5/7.0.0 releases the ICMP rate limit has changed from 1 second to 10 milliseconds.

Example

When source A sends an ECHO request with TTL = 1, when it reaches the FortiGate unit, the TTL will be decreased to 0, thus the FortiGate will send a "TTL expired" packet back to source A.  Source A will then record the FortiGate IP address and mark it as the first hop in the tracert/traceroute output.  Source A will then send an ECHO request with TTL=2 and so on.

The issue arises when source A sends multiple ECHO requests with TTL=1 within a second.  The FortiGate in releases prior to the 6.2.8/6.4.5/7.0.0 will only respond to one TTL expired packet to one source IP per second, therefore it may appear to be packet loss/timeout because no "TTL expired" is being sent by the FortiGate and received by source A.  This is by design to protect the FortiGate from suspected DoS/reconnaissance attacks.

Therefore, when using network monitoring tools such as MTR and multiple instances are running at the same time, this behavior can be observed.  It is advisable to use multiple source IPs to run the monitoring tool to avoid this issue.

In newer releases this limitation was lifted and the firewall will be able to respond at most to 100 'ICMP TTL expired error' per second.


Contributors