This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ICMP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ICMP

Go to solution
snormoyle
Not applicable

‎01-09-2012 03:17 AM

When creating an application ID for the ICMP can you specifiy the codes, right now it just seems to cover only the types.

Reason being is that due to security restrictions only certain types of ICMP traffic is allowed to cross one type of ICMP that needs to be allowed it type 3 code 4 which is for the packet fragmentation.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
skrall
L4 Transporter

‎01-17-2012 11:33 AM

The answer is no. Currently we have an application called PING and an application called ICMP. This is the only granularity at this time. You may be able to create a Custom App that uses the type field to get more specific.

Steve Krall

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
rmonvon
L6 Presenter

‎01-09-2012 09:54 AM

May I suggest you take a look at the Zone Protection feature.  The feature can be enable to detect & block ICMP fragmentation.

Thanks.

0 Likes Likes

Go to solution
snormoyle
Not applicable
In response to rmonvon

‎01-10-2012 04:11 AM

Thanks for the response, but I guess did not make myself clear enough on what I am trying to accomplish.

With our current firewall we have rules to allow only certain type of ICMP traffic, while the rest will get denied.

internal network --> outside   ***allow the following ICMP types

icmp echo

icmp echo-reply

icmp time-exceeded

icmp source-quench

icmp destination unreachable/fragmentation required, DF flag set (type 3 code 4)

I know I can create an application ID for the different ICMP types, but when you are creating an application type of ICMP it only allows you specify the type, but not the code.  If I am creating an application ID for ICMP for type 3 it would allow all type 3 traffic, but what I want is to only allow type 3 code 4 ICMP packets. All the other ICMP type 3 packets are to be dropped.

0 Likes Likes

Go to solution
skrall
L4 Transporter

‎01-17-2012 11:33 AM

The answer is no. Currently we have an application called PING and an application called ICMP. This is the only granularity at this time. You may be able to create a Custom App that uses the type field to get more specific.

Steve Krall

0 Likes Likes
  • 1 accepted solution
  • 3543 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks