Focus

Next-Generation Firewall

Security Policy Rules Based on ICMP and ICMPv6 Packets

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

ICMP

ICMPv6 Rate Limiting

Security Policy Rules Based on ICMP and ICMPv6 Packets

Understand how a security policy rule handles ICMP error packets and informational packets.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)

The firewall forwards ICMP or ICMPv6 packets only if a security policy rule allows the session (as the firewall does for other packet types). The firewall determines a session match in one of two ways, depending on whether the packet is an ICMP or ICMPv6 error packet or redirect packet as opposed to an ICMP or ICMPv6 informational packet:

ICMP Types 3, 5, 11, and 12 and ICMPv6 Types 1, 2, 3, 4, and 137—The firewall by default looks up the embedded IP packet bytes of information from the original datagram that caused the error (the invoking packet). If the embedded packet matches an existing session, the firewall forwards or drops the ICMP or ICMPv6 packet according to the action specified in the security policy rule that matches that same session. (You can use Packet-Based Attack Protection to override this default behavior for the ICMPv6 types.)
Remaining ICMP or ICMPv6 Packet Types—The firewall treats the ICMP or ICMPv6 packet as if it belongs to a new session. If a security policy rule matches the packet (which the firewall recognizes as an icmp or ipv6-icmp session), the firewall forwards or drops the packet based on the security policy rule action. Security policy counters and traffic logs reflect the actions.
If no security policy rule matches the packet, the firewall applies its default security policy rules, which allow intrazone traffic and block interzone traffic (logging is disabled by default for these rules).

Although you can override the default rules to enable logging or change the default action, we don’t recommend you change the default behavior for a specific case because it will impact all traffic that those default rules affect. Instead, create security policy rules to control and log ICMP or ICMPv6 packets explicitly.

There are two ways to create explicit security policy rules to handle ICMP or ICMPv6 packets that are not error or redirect packets:
- Create a security policy rule to allow (or deny) all ICMP or ICMPv6 packets—In the security policy rule, specify the application icmp or ipv6-icmp; the firewall allows (or denies) all IP packets matching the ICMP protocol number (1) or ICMPv6 protocol number (58), respectively, through the firewall.
- Create a custom application and a security policy rule to allow (or deny) packets from or to that application—This more granular approach allows you to Control Specific ICMP or ICMPv6 Types and Codes.

ICMP

ICMPv6 Rate Limiting

Next-Generation Firewall Docs

Security Policy Rules Based on ICMP and ICMPv6 Packets

Next-Generation Firewall Docs

Security Policy Rules Based on ICMP and ICMPv6 Packets

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner