ICMPv6 Custom Apps

L3 Networker

ICMPv6 Custom Apps

 PAN-OS has a gap in AppID for ICMPv6 apps.  Working against RFC4890, I created custom apps for the recommended ICMPv6 types/codes.

 

Sharing here for other's benefit.

 

set application icmpv6-echo-request category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Request" timeout 6 default ident-by-icmp6-type type 128
set application icmpv6-echo-reply category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Reply" timeout 6 default ident-by-icmp6-type type 129
set application icmpv6-dest-unreach category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Destination Unreachable" timeout 6 default ident-by-icmp6-type type 1
set application icmpv6-too-big category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Packet Too Big" timeout 6 default ident-by-icmp6-type type 2
set application icmpv6-time-exceed0 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Time Exceeded" timeout 6 default ident-by-icmp6-type type 3 code 0
set application icmpv6-time-exceed1 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Time Exceeded" timeout 6 default ident-by-icmp6-type type 3 code 1
set application icmpv6-parm-prob0 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 1" timeout 6 default ident-by-icmp6-type type 4 code 0
set application icmpv6-parm-prob1 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 1" timeout 6 default ident-by-icmp6-type type 4 code 1
set application icmpv6-parm-prob2 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 2" timeout 6 default ident-by-icmp6-type type 4 code 2
set application icmpv6-rs category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Router Solicitation" timeout 6 default ident-by-icmp6-type type 133
set application icmpv6-ra category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Router Advertisement" timeout 6 default ident-by-icmp6-type type 134
set application icmpv6-ns category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Neighbor Solicitation" timeout 6 default ident-by-icmp6-type type 135
set application icmpv6-na category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Neighbor Advertisement" timeout 6 default ident-by-icmp6-type type 136
set application icmpv6-nds category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Inverse Neighbor Discovery Solicitation" timeout 6 default ident-by-icmp6-type type 141
set application icmpv6-nda category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Inverse Neighbor Discovery Advertisement" timeout 6 default ident-by-icmp6-type type 142
set application icmpv6-list-query category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Query" timeout 6 default ident-by-icmp6-type type 130
set application icmpv6-list-report category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Report" timeout 6 default ident-by-icmp6-type type 131
set application icmpv6-list-done category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Done" timeout 6 default ident-by-icmp6-type type 132
set application icmpv6-list-report-v2 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Report v2" timeout 6 default ident-by-icmp6-type type 143
set application icmpv6-cps category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 SEND Cert Path Solicitation" timeout 6 default ident-by-icmp6-type type 148
set application icmpv6-cpa category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 SEND Cert Path Advertisement" timeout 6 default ident-by-icmp6-type type 149
set application icmpv6-mra category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Advertisement" timeout 6 default ident-by-icmp6-type type 151
set application icmpv6-mrs category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Solicitation" timeout 6 default ident-by-icmp6-type type 152
set application icmpv6-mrt category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Termination" timeout 6 default ident-by-icmp6-type type 153
Highlighted
L0 Member

Re: ICMPv6 Custom Apps

Thank you for this! I was looking into something like this the other day. 

 

Can I ask what your specific use case is?

L3 Networker

Re: ICMPv6 Custom Apps

Essentially, the same as having the ping vs, icmp AppID.  Limiting ICMPv6 to the types/codes that we want to allow.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!