How to Interpret ICMP Session Output on Palo Alto Networks Firewall

How to Interpret ICMP Session Output on Palo Alto Networks Firewall

25910
Created On 09/26/18 13:53 PM - Last Modified 06/01/23 08:41 AM


Resolution


Overview

This document addresses the following questions regarding ICMP sessions on the Palo Alto Networks firewall

  • How ICMP (PING) Sessions are matched ?
  • What is the meaning of Port No. for ICMP Session ?
  • Why does the command, show session all, show ports with ICMP traffic? What are the ports used for?

 

Details

The image below shows an example output for show session all filter protocol 1 on a Palo Alto Networks firewall:

ICMP-1.JPG

 

The source IP address, 192.168.33.202, has the source port as 1024. The destination IP, 4.2.2.2, has the destination port as 53312. The source port in this example is the ICMP Identifier, the destination port is the ICMP Sequence Number. The output below shows a partial packet capture using wireshark for the above sessions:

 

ECHO REQUEST:

ICMP-2.JPG

 

ECHO REPLY:

ICMP-3.JPG

 

The Palo Alto Networks firewall matches ICMP session based on ICMP Identifier, and the ICMP Sequence is used to create the sessions.

 

owner: sgantait
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxPCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language