I have 2 networks in 2 different security zones. I have been trying to set up the firewall (PA-500) to allow only icmp echo request (ping), which is an icmp message number 8 and 0 between the two networks. When using predefined application called "ping" it allows other traffic and not just the icmp ping. I have also tried to create a custom application rule that would define icmp message number 8, but it does exact same thing as the predefined "ping". The rule would look like this:
Name Source Zone Destinatio Zone Source Addr Source User Dest Addr App Service Act Profile
ICMP Ping between Zone1 Zone2 any any any ping any none
When I run tcpdump or such utility on Zone2 host I see also TCP and UDP traffic. The firewall Monitor tells me that this is the rule that allows the other traffic. This could be a potential security issue?
Any suggestions would be greatly appreciated.
We ran into this same problem. When you put 'PING' in the Application and leave the Source to 'any' it allows any TCP/UDP traffic. We are going to change the policy and see if 'default-application' fixes it. However, I agree that this is an issue. It is mis-leading to have a policy that states a firewall only allows PING traffic as the application on 'any' service, and yet allows ALL traffic.
if you can demonstrate that a security policy with action = allow, service = any and application = ping is allowing TCP or UDP traffic then I advise you to contact support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!