Solved: Re: Allow ICMP types on Fortigate

rasmus.elmholt · ‎02-13-2024

Hi everyone,

Can some one tell me or point me in the right direction on how to configure and verify if ICMP type 3 & 11 are allowed in a fortigate firewall, to make sure ThousandEyes are showing the correct path visualization?

I want to make sure that the documentation shown here are followed:

Base Rules

The sections below provide the base firewall communication rules required for the installation and full functionality of ThousandEyes Enterprise Agents. The rules are region specific.

Some organizations may not require rules for DNS and/or NTP servers if both the agent and servers are located inside the organization's network, and thus this communication is not blocked by existing rules or ACLs.

Additionally, ThousandEyes recommends permitting all ICMP error message types inbound to the agent in order to ensure full network functionality. If your firewall is fully stateful/dynamic for all ICMP error response types, then no rules are required. For firewalls which do not dynamically allow ICMP error messages in response to packets sent outbound that encounter the error conditions, we recommend allowing inbound the following:

Protocol	ICMP Types
IPv4	3, 11
IPv6	1-4, 129

rasmus.elmholt · ‎02-20-2024

We changed one of the tests to run path trace mode: in-session and the user-agent to something other than the default.

That solved some of the issues.

The funny thing about this was that an traceroute using TCP-SYN port 443 was shown correctly when done on the CLI but when the TE agent did the default it failed. We have not figured out why.

But the workaround is showing us some more data.

View solution in original post

remyJe · ‎02-15-2024

Hi, Rasmus! For Fortigate support, I encourage you to check out their documentation related to firewall policies, and/or engage the Fortinet support community:

https://community.fortinet.com
https://support.fortinet.com

Configuration will vary, depending on how your network is designed and which actual Fortigate product/version you're using. The latest Fortigate FortiOS documentation on firewall policies can be found here:

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/118003/policies

And, a quick search in the community turned up the following guidance:

https://community.fortinet.com/t5/Support-Forum/Default-allow-ICMP/m-p/63968

Kindly,

Jeremy Stark
Technical Consulting Engineer
ThousandEyes (part of Cisco)

rasmus.elmholt · ‎02-20-2024

We changed one of the tests to run path trace mode: in-session and the user-agent to something other than the default.

That solved some of the issues.

The funny thing about this was that an traceroute using TCP-SYN port 443 was shown correctly when done on the CLI but when the TE agent did the default it failed. We have not figured out why.

But the workaround is showing us some more data.

cpressle-te · ‎02-22-2024

Hi Rasmus,

Path Trace Mode "In Session" is used to try to bypass some more restrictive firewalls. It does this by establishing a TCP session and running the path trace process inside the TCP session. Using the "In Session" Path Trace Mode uses TCP and not ICMP.
More information can be found here: https://docs.thousandeyes.com/archived-release-notes/2020/2020-03-release-notes#new-path-visualization-probing-mode
If you want to measure the path using ICMP you will still need allow ICMP types 3 and 11 on your firewall.
If you don't care about ICMP and TCP is acceptable, then you can either use the "In Session" Path Trace Mode, or make sure that the TCP ports you are using for the test are unrestricted on your firewall.

If you would like to troubleshoot issues specific to your configuration then I suggest opening a case with a ThousandEyes support engineer via our live chat or email to support@thousandeyes.com. We are available 24x7.

Regards,

Charles Pressler

Technical Consulting Engineer | ThousandEyes