Recently I encountered a issue where a Fortigate when pinged from an external source was not responding to pings on the WAN interfaces .
Administrative access was set to allow pings on both interfaces.
Solution:
When all the admin users are IP restricted the Fortigate will not respond to ping requests originating from anywhere other than the designated admin IP’s.
If you want the FortiGate unit to respond to ping requests whatever the originator, add an additional restrictive Admin account with no trusted hosts associated with it. For example, default 0.0.0.0/0.0.0.0. Give the new Admin account a complex name, set it with an Access Profile that has no privileges, and use a complex password.
haha thanks for the workaround… can’t believe that’s what was required
cheers
Hi, I wanna accept icmp on my wan interface, from only one public IP. How can do it? Thks
Hi Cesar,
To restrict the ping response to only one source IP you will need to create a separate admin account and restrict that account to only the IP you need. All other admin accounts will also need to be restricted
steps
1. Create new admin profile which has no access e.g. “no_logon”
2. create new admin account e.g. “ping_only” and assign it the admin profile created in step 1
3. Add the IP you would like to ping from to the “Trusted hosts List” and save
4. To prevent the Fortigate from responding to pings from the internet in general all admin accounts will have to be restricted to only login from trusted ip’s.
Hope this helps
Thank you guy, this fixed my issue. A bit cumbersome but it did it.
Works like a charm. Thanks!