ICMP Types 3, 5, 11, and 12 and ICMPv6 Types 1, 2,
3, 4, and 137—The firewall by default looks up the embedded
IP packet bytes of information from the original datagram that caused
the error (the invoking packet). If the embedded packet matches
an existing session, the firewall forwards or drops the ICMP or
ICMPv6 packet according to the action specified in the security
policy rule that matches that same session. (You can use
Packet-Based Attack Protection to
override this default behavior for the ICMPv6 types.)