Technical Note : ICMP and UDP traceroute functionality with the FortiGate
Products
| FortiGate |
Description
This article provides background on ICMP and UDP traceroute functionality in the FortiGate and explains why the FortiGate cannot be tracerouted from a Cisco router or a Linux Operating System.
Scope
All FortiGate Users
Solution
The FortiGate is designed not to allow UDP packets in the local-in policy. UDP packets destined for the interface of the FortiGate are dropped when a standard UDP-based traceroute is performed.
Hence, it is possible to traceroute to the FortiGate from a Windows PC but not from a Linux machine or a from a Cisco Router. Both Linux and Cisco are using ICMP based traceroute.
ICMP must be used for a FortiGate to reply to a traceroute request. In Linux the "traceroute -I" command should be used to enable ICMP-based traceroute. ICMP local service should also be enabled on the FortiGate interface:
config system interface
edit "mgmt1"
set vdom "InternetNAT"
set ip 192.168.182.155 255.255.254.0
set allowaccess ping https ssh snmp http telnet
set type physical
set alias "Test purpose Management"
next
end
