ICMPv6 Custom Apps

DrJonBane · ‎06-23-2018

PAN-OS has a gap in AppID for ICMPv6 apps. Working against RFC4890, I created custom apps for the recommended ICMPv6 types/codes.

Sharing here for other's benefit.

set application icmpv6-echo-request category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Request" timeout 6 default ident-by-icmp6-type type 128
set application icmpv6-echo-reply category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Reply" timeout 6 default ident-by-icmp6-type type 129
set application icmpv6-dest-unreach category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Destination Unreachable" timeout 6 default ident-by-icmp6-type type 1
set application icmpv6-too-big category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Packet Too Big" timeout 6 default ident-by-icmp6-type type 2
set application icmpv6-time-exceed0 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Time Exceeded" timeout 6 default ident-by-icmp6-type type 3 code 0
set application icmpv6-time-exceed1 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Time Exceeded" timeout 6 default ident-by-icmp6-type type 3 code 1
set application icmpv6-parm-prob0 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 1" timeout 6 default ident-by-icmp6-type type 4 code 0
set application icmpv6-parm-prob1 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 1" timeout 6 default ident-by-icmp6-type type 4 code 1
set application icmpv6-parm-prob2 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Parameter Problem Code 2" timeout 6 default ident-by-icmp6-type type 4 code 2
set application icmpv6-rs category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Router Solicitation" timeout 6 default ident-by-icmp6-type type 133
set application icmpv6-ra category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Router Advertisement" timeout 6 default ident-by-icmp6-type type 134
set application icmpv6-ns category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Neighbor Solicitation" timeout 6 default ident-by-icmp6-type type 135
set application icmpv6-na category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Neighbor Advertisement" timeout 6 default ident-by-icmp6-type type 136
set application icmpv6-nds category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Inverse Neighbor Discovery Solicitation" timeout 6 default ident-by-icmp6-type type 141
set application icmpv6-nda category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Inverse Neighbor Discovery Advertisement" timeout 6 default ident-by-icmp6-type type 142
set application icmpv6-list-query category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Query" timeout 6 default ident-by-icmp6-type type 130
set application icmpv6-list-report category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Report" timeout 6 default ident-by-icmp6-type type 131
set application icmpv6-list-done category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Done" timeout 6 default ident-by-icmp6-type type 132
set application icmpv6-list-report-v2 category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Listener Report v2" timeout 6 default ident-by-icmp6-type type 143
set application icmpv6-cps category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 SEND Cert Path Solicitation" timeout 6 default ident-by-icmp6-type type 148
set application icmpv6-cpa category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 SEND Cert Path Advertisement" timeout 6 default ident-by-icmp6-type type 149
set application icmpv6-mra category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Advertisement" timeout 6 default ident-by-icmp6-type type 151
set application icmpv6-mrs category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Solicitation" timeout 6 default ident-by-icmp6-type type 152
set application icmpv6-mrt category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Multicast Router Termination" timeout 6 default ident-by-icmp6-type type 153

sziade1 · ‎06-26-2018

Thank you for this! I was looking into something like this the other day.

Can I ask what your specific use case is?

DrJonBane · ‎06-26-2018

Essentially, the same as having the ping vs, icmp AppID. Limiting ICMPv6 to the types/codes that we want to allow.

Unlock your full community experience!

ICMPv6 Custom Apps

ICMPv6 Custom Apps

Show your appreciation!