ICMP
Internet Control Message Protocol (ICMP) (
RFC 792) is another one of the main protocols
of the Internet Protocol suite; it operates at the Network layer
of the OSI model. ICMP is used for diagnostic and control purposes,
to send error messages about IP operations, or messages about requested services
or the reachability of a host or router. Network utilities such
as traceroute and ping are implemented by using various ICMP messages.
ICMP is a connectionless protocol that does not open or maintain
actual sessions. However, the ICMP messages between two devices
can be considered a session.
Palo Alto Networks® firewalls support ICMPv4 and ICMPv6.
You can control ICMPv4 and ICMPv6 packets in several ways:
Configure
Flood Protection, specifying
the rate of ICMP or ICMPv6 connections per second (not matching
an existing session) that trigger an alarm, trigger the firewall
to randomly drop ICMP or ICMPv6 packets, and cause the firewall
to drop ICMP or ICMPv6 packets that exceed the maximum rate.
For ICMP, you can drop certain
types of packets or suppress the sending of certain packets.
For ICMPv6 packets (Types 1, 2, 3, 4, and 137), you can specify
that the firewall use the ICMP session key to match a security policy
rule, which determines whether the ICMPv6 packet is allowed or not.
(The firewall uses the security policy rule, overriding the default
behavior of using the embedded packet to determine a session match.)
When the firewall drops ICMPv6 packets that match a security policy
rule, the firewall logs the details in Traffic logs.