Chapter 7 Firewall for FortiOS 5.0 : Network defense : Blocking external probes : Probes using IP traffic options : Configure ICMP error message verification
  
Configure ICMP error message verification
Enable ICMP error message verification to ensure an attacker can not send an invalid ICMP error message.
config system global
check-reset-range {disable | strict}
end
disable — the FortiGate unit does not validate ICMP error messages.
strict — enable ICMP error message checking.
If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. Strict checking also affects how the anti-replay option checks packets.