topic Re: test security-policy-match application ping -> Server error : argument protocol is required in General Topics

test security-policy-match application ping -> Server error : argument protocol is required

ash83 — Wed, 21 Mar 2018 17:20:06 GMT

Hi,

I am trying to test ping from zone A to zone B using 2 hosts IPs which belong to their respective zones.

What is the correct way to specifically test application ping?

fw1(active)> test security-policy-match application ping from from zone_1 to zone_2 source 192.168.1.1 destination 192.168.2.1
Server error : argument protocol is required

Ping does not use TCP or UDP. It uses ICMP. To be more precise ICMP type 8 (echo message) and type 0 (echo reply message) are used. ICMP does not have ports

Is it possible to test the above using the CLI prior to deploying a firewall to test ping between hosts?

Thanks.

Re: test security-policy-match application ping -> Server error : argument protocol is required

gwesson — Wed, 21 Mar 2018 17:35:29 GMT

You need to specify the protocol for ICMP, which is 1. That works well for me:

> test security-policy-match application ping from Trust to Internet source 192.168.1.1 destination 192.168.2.1 protocol 1

"Default Outbound; index: 5" {
        from Trust;
        source any;
        source-region none;
        to Internet;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service  any/any/any/any;
        action allow;
        icmp-unreachable: no
        terminal yes;
}

The full list of protocols assigned by IANA is here, in case you want to test others (TCP is 6, UDP is 17 for example):

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml