I have the same problem with incomplete application.
!Public zone! <====> PAN Firewall <====> INSIDE Firewall <-----> Server IP.
I have nated Server IP to Public ip, and configure rule like the below.
Name: (Ping) ; Src zone: (public); Src: (any); Dst zone: (any) ; Dst (any); Appliccation: (icmp, ping) ; Action: (ALLOW);
I monitor traffic on PAN Firewall, I saw the traffic : Application is INCOMPLETE and action is ALLOW corresponding to the above "Ping" rule, and on my INSIDE Firewall, I also saw the traffic with the same public IP address to my server.
I real don't know why is traffic pass into my INSIDE Firewall.
Please help me to deny all of incomplete traffic.
Thanks so much.
Did you permit ping on "any" service/port? You should never use "any" for service/port on incoming rules. You should only use "application-default" or a specified port.
It's looking like a routing issue for me. Let me know if i understand it correctly.
Destination-zone= Public zone
Destination IP address: Public IP address
NAT destination translation= Private address of the Server
Destination-zone= Inside Zone ( LAN)
a) Default gateway on PAN FW pointing towards Public zone ISP router.
b) Server's Private IP address >>>pointing towards next hop to INSIDE FW
I think any session based firewall will match the ICMP session based on ICMP Identifier, and the ICMP Sequence, to create the sessions. Hence, ideally there will be no default port for ICMP protocol, ultimately it will be "ANY".
Thanks Hulk, I wonder how I block all of incomplete application.
I don't know where to configure application-default, please shared your idea in this case.
Thanks so much.
for me it's look like a routing issue or something avoid the return of ping echo.
if you you want to deny incomplete flow, you need to let pass the first packet icmp in your case and wait for an response that cross again the firewall to be define as ping application however if the response is not seen then the flow will be categorize as incomplete.
in fact you cannot block incomplete flaw in your case unless you deny ping application or if you resolve your routing issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!