Rejecting PING requests

Rejecting PING requests

The factory default configuration of your FortiGate unit allows the default external interface to respond to ping requests. Depending on the model of your FortiGate unit the actual name of this interface will vary. For the most secure operation, you should change the configuration of the external interface so that it does not respond to ping requests. Not responding to ping requests makes it more difficult for a potential attacker to detect your FortiGate unit from the Internet. One such potential threat are Denial of Service (DoS) attacks.

A FortiGate unit responds to ping requests if ping administrative access is enabled for that interface.

 

To disable ping administrative access – web-based manager

1. Go to System > Network > Interface.

2. Choose the external interface and select Edit.

3. Clear the Ping Administrative Access check box.

4. Select OK.

In the CLI, when setting the allowaccess settings, by selecting the access types and not including the PING option, that option is then not selected. In this example, only HTTPS is selected.

 

To disable ping administrative access – CLI

config system interface edit external

set allowaccess https

end

This entry was posted in FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Rejecting PING requests

  1. Ahmad Husen

    i can ping the fortigate from the windows OS from the remote location but when i try to ping the from the cisco router from the remote location i can’t able to ping
    my firewall installed behind the cisco router, when i try to ping locally from the router i can ping.
    Only problem coming with the remote location router.
    Please help

    Reply
    1. Mike Post author

      Are you performing any NAT on the tunnel? What interface or source IP is the router actually using when performing the ping. Check to make sure those are in proper configuration and test with debugging on to see what it outputs.

      Reply
      1. Ahmad Husen

        Thanks for your reply Mike
        Nating is configured only on the router and i have allowed the ping on the fortigate interface.
        i’m using the 192.168.11.1 for the router and 192.168.11.4 for the fortigate. if i need to ping from the router 192.168.11.1 it’s pinging. but when i try from other branches router not able to ping but the remote branches pc’s able to ping 192.168.11.4 fortigate interface. Only problem is coming with the routers.
        I have also checked the trusted host it’s default 0.0.0.0/0
        Please help

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.