This article describes the method to generate ICMP unreachable logs and the policy matching.
Scope
FortiGate.
Solution
To generate ICMP log message:
config log setting set log-invalid-packet enable end
The ICMP log is generated as below:
The log matched policy ID 2 even though the source field does not match.
Policy ID 2 allowed the ICMP unreachable packet because the encapsulated IP header matches the existing session.
