Unable to allow only ICMP Echo Request; Firewall passes all the traffic

cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to allow only ICMP Echo Request; Firewall passes all the traffic

L1 Bithead

Hello,

I have 2 networks in 2 different security zones. I have been trying to set up the firewall (PA-500) to allow only icmp echo request (ping), which is an icmp message number 8 and 0 between the two networks. When using predefined application called "ping" it allows other traffic and not just the icmp ping. I have also tried to create a custom application rule that would define icmp message number 8, but it does exact same thing as the predefined "ping". The rule would look like this:

Name                              Source Zone     Destinatio Zone     Source Addr     Source User     Dest Addr     App     Service Act     Profile

ICMP Ping between          Zone1               Zone2                   any                  any                  any             ping      any               none

zones

When I run tcpdump or such utility on Zone2 host I see also TCP and UDP traffic. The firewall Monitor tells me that this is the rule that allows the other traffic. This could be a potential security issue?

Any suggestions would be greatly appreciated.

4 REPLIES 4

L3 Networker

Maybe instead of specifying your Service as "any" try using "application-default" ?

L0 Member

We ran into this same problem.  When you put 'PING' in the Application and leave the Source to 'any' it allows any TCP/UDP traffic.  We are going to change the policy and see if 'default-application' fixes it.  However, I agree that this is an issue.  It is mis-leading to have a policy that states a firewall only allows PING traffic as the application on 'any' service, and yet allows ALL traffic.

@gmoorman:

if you can demonstrate that a security policy with action = allow, service = any and application = ping is allowing TCP or UDP traffic then I advise you to contact support.

-Benjamin

Hi,

I got exactly the same kind of issue :

https://live.paloaltonetworks.com/thread/3715?tstart=0

This is weird...

Any idea ?

Regards,

Laurent

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!