Unable to allow only ICMP Echo Request; Firewall passes all the traffic

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Unable to allow only ICMP Echo Request; Firewall passes all the traffic

Hello,

I have 2 networks in 2 different security zones. I have been trying to set up the firewall (PA-500) to allow only icmp echo request (ping), which is an icmp message number 8 and 0 between the two networks. When using predefined application called "ping" it allows other traffic and not just the icmp ping. I have also tried to create a custom application rule that would define icmp message number 8, but it does exact same thing as the predefined "ping". The rule would look like this:

Name                              Source Zone     Destinatio Zone     Source Addr     Source User     Dest Addr     App     Service Act     Profile

ICMP Ping between          Zone1               Zone2                   any                  any                  any             ping      any               none

zones

When I run tcpdump or such utility on Zone2 host I see also TCP and UDP traffic. The firewall Monitor tells me that this is the rule that allows the other traffic. This could be a potential security issue?

Any suggestions would be greatly appreciated.

Highlighted
L3 Networker

Maybe instead of specifying your Service as "any" try using "application-default" ?

Highlighted
L0 Member

We ran into this same problem.  When you put 'PING' in the Application and leave the Source to 'any' it allows any TCP/UDP traffic.  We are going to change the policy and see if 'default-application' fixes it.  However, I agree that this is an issue.  It is mis-leading to have a policy that states a firewall only allows PING traffic as the application on 'any' service, and yet allows ALL traffic.

Highlighted
L6 Presenter

@gmoorman:

if you can demonstrate that a security policy with action = allow, service = any and application = ping is allowing TCP or UDP traffic then I advise you to contact support.

-Benjamin

Highlighted
L3 Networker

Hi,

I got exactly the same kind of issue :

https://live.paloaltonetworks.com/thread/3715?tstart=0

This is weird...

Any idea ?

Regards,

Laurent

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!