Just more ramblings of another IT Guy

Fortigate ping response on WAN interfaces

Recently I encountered a issue where a Fortigate when pinged from an external source  was not responding to pings on the WAN interfaces .

Administrative access was set to allow pings on both interfaces.

 

Solution:

When all the admin users are IP restricted the Fortigate will not respond to ping requests originating from anywhere other than the designated admin IP’s.

If you want the FortiGate unit to respond to ping requests whatever the originator, add an additional restrictive Admin account with no trusted hosts associated with it. For example, default 0.0.0.0/0.0.0.0. Give the new Admin account a complex name, set it with an Access Profile that has no privileges, and use a complex password.

This entry was posted in Fortigate, Tips+Tricks. Bookmark the permalink.

5 Responses to Fortigate ping response on WAN interfaces

  1. Kristian says:

    haha thanks for the workaround… can’t believe that’s what was required

    cheers

  2. Cesar J Gonzalez says:

    Hi, I wanna accept icmp on my wan interface, from only one public IP. How can do it? Thks

    • Googs says:

      Hi Cesar,

      To restrict the ping response to only one source IP you will need to create a separate admin account and restrict that account to only the IP you need. All other admin accounts will also need to be restricted

      steps
      1. Create new admin profile which has no access e.g. “no_logon”
      2. create new admin account e.g. “ping_only” and assign it the admin profile created in step 1
      3. Add the IP you would like to ping from to the “Trusted hosts List” and save
      4. To prevent the Fortigate from responding to pings from the internet in general all admin accounts will have to be restricted to only login from trusted ip’s.

      Hope this helps

  3. Alessandro says:

    Thank you guy, this fixed my issue. A bit cumbersome but it did it.

  4. shredder12 says:

    Works like a charm. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *