Services and TCP ports

loginvalidpacket

The log-invalid-packet CLI setting is one that is intended to log invalid ICMP packets. The exact definition being:

If the ForitGate unit receives an ICMP error packet that contains an embedded IP(A,B)|TCP (C,D) header, then if FortiOS can loacate the A:C -> B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped.

When this field is enabled, the FortiGate also log messages that are not ICMP error packets.

 

Types of logs covered by log-invalid-packet

  • Invalid ICMP
  • If ICMP error message verification (see “check-reset-range”) is enabled
  • Invalid DNS packets
  • DNS packets that contain requests for non-existing domains
  • iprope check failed
  • reverse path check fail
  • denied and broadcast traffic
  • no session matched

 

Some other examples of messages that are not errors that will be logged, based on RFC792:

Type 3 messages correspond to “Destination Unreachable Message”

  • Type 3, Code 1 = host unreachable
  • Type 3, Code 3 = port unreachable

 

Type 11 messages correspond to “Time Exceeded Message”

  • Type 11, Code 0 = time to live exceeded in transit

 

ICMPv6

Internet Control Message Protocol version 6 (ICMPv6) is the new implementation of the Internet Control Message Protocol (ICMP) that is part of Internet Protocol version 6 (IPv6). The ICMPv6 protocol is defined in RFC 4443.

 

ICMPv6 is a multipurpose protocol. It performs such things as:

  • error reporting in packet processing
  • diagnostic functions
  • Neighbor Discovery process
  • IPv6 multicast membership reporting

It also designed as a framework to use extensions for use with future implementations and changes. Examples of extensions that have already been written for ICMPv6:

  • Neighbor Discovery Protocol (NDP) – a node discovery protocol in IPv6 which replaces and enhances functions of ARP.
  • Secure Neighbor Discovery Protocol (SEND) – an extension of NDP with extra security.
  • Multicast Router Discovery (MRD) – allows discovery of multicast routers.

 

ICMPv6 messages use IPv6 packets for transportation and can include IPv6 extension headers. ICMPv6 includes some of the functionality that in IPv4 was distributed among protocols such as ICMPv4, ARP (Address Resolution Protocol), and IGMP (Internet Group Membership Protocol version 3).

 

ICMPv6 has simplified the communication process by eliminating obsolete messages.

 

ICMPv6 messages are subdivided into two classes: error messages and information messages. Error Messages are divided into four categories:

1. Destination Unreachable

2. Time Exceeded

3. Packet Too Big

4. Parameter Problems

Information messages are divided into three groups:

1. Diagnostic messages

2. Neighbor Discovery messages

3. Messages for the management of multicast groups.

 

ICMPv6 Types and Codes

ICMPv6 has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.

 

Type codes 0 − 127 are error messages and type codes 128 − 255 are for information messages.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.