Security Policy Rules Based on ICMP and ICMPv6 Packets
Understand how a security policy rule handles ICMP error packets and informational
packets.
Where Can I Use This? | What Do I Need? |
- NGFW (Managed by PAN-OS or Panorama)
| |
The firewall forwards ICMP or ICMPv6 packets only if
a security policy rule allows the session (as the firewall does
for other packet types). The firewall determines a session match
in one of two ways, depending on whether the packet is an ICMP or
ICMPv6 error packet or redirect packet as opposed to an ICMP or
ICMPv6 informational packet:
ICMP Types 3, 5, 11, and 12 and ICMPv6 Types 1, 2,
3, 4, and 137—The firewall by default looks up the embedded
IP packet bytes of information from the original datagram that caused
the error (the invoking packet). If the embedded packet matches
an existing session, the firewall forwards or drops the ICMP or
ICMPv6 packet according to the action specified in the security
policy rule that matches that same session. (You can use
Packet-Based Attack Protection to
override this default behavior for the ICMPv6 types.)
Remaining ICMP or ICMPv6 Packet Types—The firewall
treats the ICMP or ICMPv6 packet as if it belongs to a new session.
If a security policy rule matches the packet (which the firewall
recognizes as an icmp or ipv6-icmp session),
the firewall forwards or drops the packet based on the security
policy rule action. Security policy counters and traffic logs reflect
the actions.
If no security policy rule matches the packet,
the firewall applies its default security policy rules, which allow
intrazone traffic and block interzone traffic (logging is disabled
by default for these rules).
Although
you can override the default rules to enable logging or change the
default action, we don’t recommend you change the default behavior
for a specific case because it will impact all traffic that those
default rules affect. Instead, create security policy rules to control
and log ICMP or ICMPv6 packets explicitly.
There are
two ways to create explicit security policy rules to handle ICMP
or ICMPv6 packets that are not error or redirect packets:
Create
a security policy rule to allow (or deny) all ICMP or ICMPv6 packets—In
the security policy rule, specify the application icmp or ipv6-icmp;
the firewall allows (or denies) all IP packets matching the ICMP
protocol number (1) or ICMPv6 protocol number (58), respectively,
through the firewall.