06-23-2018 01:48 PM
PAN-OS has a gap in AppID for ICMPv6 apps. Working against RFC4890, I created custom apps for the recommended ICMPv6 types/codes.
Sharing here for other's benefit.
set application icmpv6-echo-request category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Request" timeout 6 default ident-by-icmp6-type type 128 set application icmpv6-echo-reply category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Reply" timeout 6 default ident-by-icmp6-type type 129 set application icmpv6-dest-unreach category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Destination Unreachable" timeout 6 default ident-by-icmp6-type type 1 set application icmpv6-too-big category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Packet Too Big" timeout 6 default ident-by-icmp6-type type 2 set application icmpv6-time-exceed0 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Time Exceeded" timeout 6 default ident-by-icmp6-type type 3 code 0 set application icmpv6-time-exceed1 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Time Exceeded" timeout 6 default ident-by-icmp6-type type 3 code 1 set application icmpv6-parm-prob0 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 1" timeout 6 default ident-by-icmp6-type type 4 code 0 set application icmpv6-parm-prob1 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 1" timeout 6 default ident-by-icmp6-type type 4 code 1 set application icmpv6-parm-prob2 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 2" timeout 6 default ident-by-icmp6-type type 4 code 2 set application icmpv6-rs category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Router Solicitation" timeout 6 default ident-by-icmp6-type type 133 set application icmpv6-ra category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Router Advertisement" timeout 6 default ident-by-icmp6-type type 134 set application icmpv6-ns category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Neighbor Solicitation" timeout 6 default ident-by-icmp6-type type 135 set application icmpv6-na category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Neighbor Advertisement" timeout 6 default ident-by-icmp6-type type 136 set application icmpv6-nds category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Inverse Neighbor Discovery Solicitation" timeout 6 default ident-by-icmp6-type type 141 set application icmpv6-nda category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Inverse Neighbor Discovery Advertisement" timeout 6 default ident-by-icmp6-type type 142 set application icmpv6-list-query category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Query" timeout 6 default ident-by-icmp6-type type 130 set application icmpv6-list-report category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Report" timeout 6 default ident-by-icmp6-type type 131 set application icmpv6-list-done category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Done" timeout 6 default ident-by-icmp6-type type 132 set application icmpv6-list-report-v2 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Report v2" timeout 6 default ident-by-icmp6-type type 143 set application icmpv6-cps category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 SEND Cert Path Solicitation" timeout 6 default ident-by-icmp6-type type 148 set application icmpv6-cpa category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 SEND Cert Path Advertisement" timeout 6 default ident-by-icmp6-type type 149 set application icmpv6-mra category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Advertisement" timeout 6 default ident-by-icmp6-type type 151 set application icmpv6-mrs category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Solicitation" timeout 6 default ident-by-icmp6-type type 152 set application icmpv6-mrt category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Termination" timeout 6 default ident-by-icmp6-type type 153
06-26-2018 01:43 PM
Essentially, the same as having the ping vs, icmp AppID. Limiting ICMPv6 to the types/codes that we want to allow.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
