Fortinet black logo

Handbook

log-invalid-packet

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:442340
Download PDF
log-invalid-packet

The log-invalid-packet CLI setting is one that is intended to log invalid ICMP packets. The exact definition being:

If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B)|TCP (C,D) header, then if FortiOS can locate the A:C -> B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped.

When this field is enabled, the FortiGate also log messages that are not ICMP error packets.

Types of logs covered by log-invalid-packet
  • Invalid ICMP
    • If ICMP error message verification (see "check-reset-range") is enabled
  • Invalid DNS packets
    • DNS packets that contain requests for non-existing domains
  • iprope check failed
  • reverse path check fail
  • denied and broadcast traffic
  • no session matched

Some other examples of messages that are not errors that will be logged, based on RFC792:

Type 3 messages correspond to "Destination Unreachable Message"

  • Type 3, Code 1 = host unreachable
  • Type 3, Code 3 = port unreachable

Type 11 messages correspond to "Time Exceeded Message"

  • Type 11, Code 0 = time to live exceeded in transit
log-invalid-packet

The log-invalid-packet CLI setting is one that is intended to log invalid ICMP packets. The exact definition being:

If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B)|TCP (C,D) header, then if FortiOS can locate the A:C -> B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped.

When this field is enabled, the FortiGate also log messages that are not ICMP error packets.

Types of logs covered by log-invalid-packet
  • Invalid ICMP
    • If ICMP error message verification (see "check-reset-range") is enabled
  • Invalid DNS packets
    • DNS packets that contain requests for non-existing domains
  • iprope check failed
  • reverse path check fail
  • denied and broadcast traffic
  • no session matched

Some other examples of messages that are not errors that will be logged, based on RFC792:

Type 3 messages correspond to "Destination Unreachable Message"

  • Type 3, Code 1 = host unreachable
  • Type 3, Code 3 = port unreachable

Type 11 messages correspond to "Time Exceeded Message"

  • Type 11, Code 0 = time to live exceeded in transit