https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19977#M14555 <HTML><HEAD></HEAD><BODY><P>We ran into this same problem.&nbsp; When you put 'PING' in the Application and leave the Source to 'any' it allows any TCP/UDP traffic.&nbsp; We are going to change the policy and see if 'default-application' fixes it.&nbsp; However, I agree that this is an issue.&nbsp; It is mis-leading to have a policy that states a firewall only allows PING traffic as the application on 'any' service, and yet allows ALL traffic.</P></BODY></HTML> Mon, 10 Oct 2011 20:07:05 GMT UtilitySecurity 2011-10-10T20:07:05Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19975#M14553 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have 2 networks in 2 different security zones. I have been trying to set up the firewall (PA-500) to <SPAN style="color: #333333;">allow <SPAN style="text-decoration: underline;">only</SPAN> icmp echo request (ping), which is an icmp message number 8 and 0 between the two networks. When using predefined application called "ping" it allows other traffic and not just the icmp ping. I have also tried to create a custom application rule that would define icmp message number 8, but it does exact same thing as the predefined "ping". The rule would look like this:</SPAN></P><P><SPAN style="color: #333333;"> </SPAN></P><P><SPAN style="color: #333333;">Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Source Zone&nbsp;&nbsp;&nbsp;&nbsp; Destinatio Zone&nbsp;&nbsp;&nbsp;&nbsp; Source Addr&nbsp;&nbsp;&nbsp;&nbsp; Source User&nbsp;&nbsp;&nbsp;&nbsp; Dest Addr&nbsp;&nbsp;&nbsp;&nbsp; App&nbsp;&nbsp;&nbsp;&nbsp; Service Act&nbsp;&nbsp;&nbsp;&nbsp; Profile</SPAN></P><P><SPAN style="color: #333333;"> </SPAN></P><P><SPAN style="color: #333333;">ICMP Ping between&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Zone1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Zone2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ping&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; none</SPAN></P><P><SPAN style="color: #333333;">zones</SPAN></P><P><SPAN style="color: #333333;"> </SPAN></P><P><SPAN style="color: #333333;"> </SPAN></P><P><SPAN style="color: #333333;">When I run tcpdump or such utility on Zone2 host I see also TCP and UDP traffic. The firewall Monitor tells me that this is the rule that allows the other traffic. This could be a potential security issue?</SPAN></P><P><SPAN style="color: #333333;"> </SPAN></P><P><SPAN style="color: #333333;"> </SPAN></P><P><SPAN style="color: #333333;">Any suggestions would be greatly appreciated.</SPAN></P></BODY></HTML> Tue, 22 Mar 2011 20:17:45 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19975#M14553 dkraus 2011-03-22T20:17:45Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19976#M14554 <HTML><HEAD></HEAD><BODY><P>Maybe instead of specifying your Service as "any" try using "application-default" ?</P></BODY></HTML> Tue, 22 Mar 2011 23:29:24 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19976#M14554 KGC 2011-03-22T23:29:24Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19977#M14555 <HTML><HEAD></HEAD><BODY><P>We ran into this same problem.&nbsp; When you put 'PING' in the Application and leave the Source to 'any' it allows any TCP/UDP traffic.&nbsp; We are going to change the policy and see if 'default-application' fixes it.&nbsp; However, I agree that this is an issue.&nbsp; It is mis-leading to have a policy that states a firewall only allows PING traffic as the application on 'any' service, and yet allows ALL traffic.</P></BODY></HTML> Mon, 10 Oct 2011 20:07:05 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19977#M14555 UtilitySecurity 2011-10-10T20:07:05Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19978#M14556 <HTML><HEAD></HEAD><BODY><P>@gmoorman:</P><P></P><P>if you can demonstrate that a security policy with action = allow, service = any and application = ping is allowing TCP or UDP traffic then I advise you to contact support.</P><P></P><P>-Benjamin</P></BODY></HTML> Mon, 10 Oct 2011 20:35:56 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19978#M14556 bpappas 2011-10-10T20:35:56Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19979#M14557 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I got exactly the same kind of issue :</P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/thread/3715?tstart=0">https://live.paloaltonetworks.com/thread/3715?tstart=0</A></P><P></P><P>This is weird...</P><P></P><P>Any idea ?</P><P></P><P>Regards,</P><P></P><P>Laurent</P></BODY></HTML> Fri, 11 Nov 2011 12:58:56 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-allow-only-icmp-echo-request-firewall-passes-all-the/m-p/19979#M14557 ldormond 2011-11-11T12:58:56Z