topic Re: Send ICMP Unreachable panos7 in General Topics

Send ICMP Unreachable panos7

PanIst — Sat, 15 Aug 2015 21:43:33 GMT

Hello

What really is the purpose of using that checkbox in policy action with drop or reset ? What are benefits ? Thanks

Regards

Re: Send ICMP Unreachable panos7

pulukas — Sun, 16 Aug 2015 11:19:21 GMT

Using reset and icmp unreachable is primarily aimed at traffic you expect you normal end user community to generate. This gives a user a cleaner experience of the connection failure. Their application gets an immediate response and stops the communication attempt. And the application has an opportunity to give a failure message then to the user.

Drop on the other hand is a silent activity where we basically ignore the traffic and the attempting application has no idea why the failure occurs. This is the preferred response when the invalid traffic is expected from malicious sources, scanners, penetrators or other "bad actors". An affirmative quick response lets them know a firewall is in the path and also shortens the time of their recon activities.

Both options apply only when we are preventing a connection, so in either case there is no session created.

Re: Send ICMP Unreachable panos7

PanIst — Fri, 21 Aug 2015 06:52:40 GMT

Thanks for answer.I already know differences between drop and reset.I just wonder what extra gives icmp option ?

Re: Send ICMP Unreachable panos7

reaper — Tue, 15 Sep 2015 14:05:05 GMT

Hi PanIst

Please take a look at DotW: Send ICMP Unreachable PAN-OS 7.0 where I tried to demonstrate more clearly what the icmp option does.

regards

Tom

Re: Send ICMP Unreachable panos7

Farman — Wed, 13 Apr 2016 23:02:25 GMT

Hello Tom,

In the topic you have mentioned that the "Drop" action will silently discard all packets. My question is what will the user see at the backend. So for example if I have a policy to block a url using a custom url category and the action is set to "Deny"

Will the user still see the reset page or it will keep loading ? When will it time out ? Can we change it ?

Also I wanted to make correction. Pre 7.0 the only action available was Deny and not Drop.

Re: Send ICMP Unreachable panos7

Brandon_Wertz — Thu, 14 Apr 2016 00:32:09 GMT

@Farman WTR URL policy you're going to want to "Allow" the traffic in security policy and control the L7 / Web action via URL Profile; with an allow / alert / deny / continue / overide options.

Setting the URL profile with a deny action for a custom category or a default one will present the user matching the overall security policy with the URL response page.

This response page can be of the default formatting from Palo or you can customize it to your company's own preference.