Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff

Created on ‎09-21-2020 12:27 AM

Article Id 193707

Technical Tip: Configure ICMP error message verification

Description
In a strict environment it is necessary to enable the ICMP error message check to have more secure traffic flow.

This article describes how to configure this feature.

Solution
Enable ICMP error message verification to ensure an attacker cannot send an invalid ICMP error message.
# config system global
    check-reset-range {disable | strict}
end
- disable: The FortiGate unit does not validate ICMP error messages.
- strict: Enable ICMP error message checking.

If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session.

If the sequence number is not in range then the ICMP packet is dropped.
Strict checking also affects how the anti-replay option checks packets.

1626
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.