Troubleshooting Page 130 FortiRecorder 2.4.2 Administration Guide
destination, ping tells you the amount of packet loss (if any), how long it takes the packet to
make the round trip (latency), and the variation in that time from packet to packet (jitter).
Similarly, traceroute sends ICMP packets to test each hop along the route. It sends three
packets to the destination, and then increases the time to live (TTL) setting by one, and sends
another three packets to the destination. As the TTL increases, packets go one hop farther
along the route until they reach the destination.
Most traceroute commands display their maximum hop count — that is, the maximum
number of steps it will take before declaring the destination unreachable — before they start
tracing the route. The TTL setting may result in routers or firewalls along the route timing out due
to high latency. If you specify the destination using a domain name, the traceroute output
can also indicate DNS problems, such as an inability to connect to a DNS server.
By default, FortiRecorder appliances will respond to ping and traceroute. However, if
FortiRecorder does not respond, and there are no firewall policies that block it, ICMP type 0
(ECHO_REPSPONSE or “pong”) might be effectively disabled. By default, traceroute uses
UDP with destination ports numbered from 33434 to 33534. The traceroute utility usually has an
option to specify use of ICMP ECHO_REQUEST (type 8) instead, as used by the Windows
tracert utility. If you have a firewall and you want traceroute to work from both machines
(Unix-like systems and Windows) you will need to allow both protocols inbound through your
firewall (UDP ports 33434 - 33534 and ICMP type 8).
Some networks block ICMP packets because they can be used in a ping flood or denial of
service (DoS) attack if the network does not have anti-DoS capabilities, or because ping can
be used by an attacker to find potential targets on the network.
To enable ping & traceroute responses from FortiRecorder
1. Go to System > Network > Interface.
To access this part of the web UI, you must have Read and Write permission in your
administrator's account access profile to items in the Router Configuration category.
2. In the row for the network interface which you want to respond to ICMP type 8
(ECHO_REQUEST) for ping and UDP for traceroute, click Edit.
A dialog appears.
3. Enable PING.
4. Click OK.
The appliance should now respond when another device such as your management
computer sends a ping or traceroute to that network interface.
To verify routes between cameras & your FortiRecorder
1. Use FortiRecorder’s execute ping command with the camera’s IP address to verify that a
route exists between the two.
2. If possible, temporarily connect a computer at the camera’s usual physical location, using
the camera’s usual IP address, so that you can use its ping command to test traffic
Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) and
traceroute-related UDP.
It does not disable FortiRecorder CLI commands such as execute ping or execute
traceroute that send such traffic.
Since you typically use these tools only during troubleshooting, you can allow ICMP, the
protocol used by these tools, on interfaces only when you need them. Otherwise, disable ICMP
for improved security and performance
To Next Page
Loading...