This document addresses the following questions regarding ICMP sessions on the Palo Alto Networks firewall
How ICMP (PING) Sessions are matched ?
What is the meaning of Port No. for ICMP Session ?
Why does the command, show session all, show ports with ICMP traffic? What are the ports used for?
Details
The image below shows an example output for show session all filter protocol 1 on a Palo Alto Networks firewall:
The source IP address, 192.168.33.202, has the source port as 1024. The destination IP, 4.2.2.2, has the destination port as 53312. The source port in this example is the ICMP Identifier, the destination port is the ICMP Sequence Number. The output below shows a partial packet capture using wireshark for the above sessions:
ECHO REQUEST:
ECHO REPLY:
The Palo Alto Networks firewall matches ICMP session based on ICMP Identifier, and the ICMP Sequence is used to create the sessions.