FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dsharma
Staff
Staff
Article Id 191183
Description
This article describes the method to prevent the public FortiGate interface from responding to ping requests.

Scope
This is a new feature in FortiOS in v5.6, 6.0 & 6.2

Solution
The factory default configuration of the interface of the the default public / external / Internet interface is to respond to ping requests.
nit that is usually connected to the Internet.

Note : Depending on the model of the FortiGate unit the actual name of this interface will vary.

For the most secure operation, change the configuration of the external interface so that it does not respond to ping requests.

Not responding to ping requests makes it more difficult for a potential attacker to detect FortiGate unit from the Internet. For example, Denial of Service (DoS) attacks (e.g. a smurf attack) are designed to overwhelm network systems.

A FortiGate unit responds to ping requests if ping for administrative access is enabled for that interface. Use the following procedures to disable ping access for the external interface of a FortiGate unit. Use the same procedures for any FortiGate interface. Same procedures apply for NAT/Route or Transparent mode.

To disable ping administrative access from the web-based manager:

   1.    Login to the FortiGate GUI.
   2.    Go to Network>Interfaces.
   3.    Choose the concerned external interface and select Edit.
   4.    Under Administrative Access, uncheck PING check box.
   5.    Select OK to save the changes.

To disable ping administrative access from the FortiGate CLI:

   1.    Login to the FortiGate CLI.
   2.    Disable administrative access to the external interface. Run the following commands:

config system interface
    edit <name_of_interface>
    set allowaccess https               <-- here only select respective protocols, don’t give PING
end





Contributors