Send ICMP Unreachable panos7

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Send ICMP Unreachable panos7

L3 Networker

Hello

What really is the purpose of using that checkbox in policy action with drop or reset  ? What are benefits ? Thanks

Regards

1 accepted solution

Accepted Solutions

Hi PanIst

 

Please take a look at DotW: Send ICMP Unreachable PAN-OS 7.0 where I tried to demonstrate more clearly what the icmp option does.

 

regards

Tom

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

L7 Applicator

Using reset and icmp unreachable is primarily aimed at traffic you expect you normal end user community to generate.  This gives a user a cleaner experience of the connection failure.  Their application gets an immediate response and stops the communication attempt.  And the application has an opportunity to give a failure message then to the user.

Drop on the other hand is a silent activity where we basically ignore the traffic and the attempting application has no idea why the failure occurs.  This is the preferred response when the invalid traffic is expected from malicious sources, scanners, penetrators or other "bad actors".  An affirmative quick response lets them know a firewall is in the path and also shortens the time of their recon activities.

Both options apply only when we are preventing a connection, so in either case there is no session created.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks for answer.I already know differences between drop and reset.I just wonder what extra gives icmp option ?

Hi PanIst

 

Please take a look at DotW: Send ICMP Unreachable PAN-OS 7.0 where I tried to demonstrate more clearly what the icmp option does.

 

regards

Tom

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello Tom,

 

In the topic you have mentioned that the "Drop" action will silently discard all packets. My question is what will the user see at the backend. So for example if I have a policy to block a url using a custom url category and the action is set to "Deny"

 

Will the user still see the reset page or it will keep loading ? When will it time out ? Can we change it ?

 

Also I wanted to make correction. Pre 7.0 the only action available was Deny and not Drop.

 

@Farman WTR URL policy you're going to want to "Allow" the traffic in security policy and control the L7 / Web action via URL Profile; with an allow / alert / deny / continue / overide options.

 

Setting the URL profile with a deny action for a custom category or a default one will present the user matching the overall security policy with the URL response page.

 

This response page can be of the default formatting from Palo or you can customize it to your company's own preference.

  • 1 accepted solution
  • 4093 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!