Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ping between server is not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ping between server is not working

L3 Networker

Hi,

 

I have created a rule to allow ping between to and fro from servers below is the scenario

 

source zone: A, B, C

Source IP: 1 , 2 , 3

Destination zone: A, B, C

Destination IP: 1, 2, 3

Application: Ping

Service: application-default

action: Allow

 

But the rule is not triggering, the traffic is denied due to dafault deny...

can anyboady tell me the whats the  reason for this?? and how i can resolve it?

 

Thanks in advance

 

Kotresha
ACE
1 accepted solution

Accepted Solutions

After adding icmp to application it's started working fine.

Thanks for your all support guys.

Kotresha
ACE

View solution in original post

12 REPLIES 12

L3 Networker

hi,

 

Reason is that the traffic is not hitting your policy, instead hits your default deny rule.

 

L7 Applicator

As the policy is Top-down, it will match on the rules in order. 

You have created the rule to allow Ping, but the question is where is this rule in the policy?

 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

the rule is on the top of default deny but still it's not working.

Kotresha
ACE

Community Team Member

Can you enable logging of your default deny rule (this is not enabled by default).  

Can you confirm the zones / IP's when you check the actual drop log ?

 

Cheers,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Yes we have enabled it and i can see it the Zones and ips are correct but still it's not working

Kotresha
ACE

are you seeing ICMP ping being dropped or UDP?

 

the AppID application 'ping' is for ICMP echo requests only. if your host is sending out UDP pings, they will not match

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I can see ICMP IP protocol in the logs.

Kotresha
ACE

L3 Networker

Hi,

 

Just for test add in the policy application field "ping" and "ICMP" apps and try.

 

 

L3 Networker

Is the server is located behind the firewall and you are trying to ping from outside ? ( nat and security policy needs to be checked )

If that is not the case then it may also happen the new sessions are getting matched with the old discard sessions.

 

Most likely as me peers mentioned above either the deny policy is above the allow policy or there the zones and the ips needs to be cross checked once again

 

Tarang

Yes i can confirm that the rule is above the default deny and we are allowing ping to and fro from cloud servers to internal servers. There no NAT applied on this.

however i have added ICMP to the rule and waiting for the test

Kotresha
ACE

After adding icmp to application it's started working fine.

Thanks for your all support guys.

Kotresha
ACE

Glad it is working!

  • 1 accepted solution
  • 7301 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!