Internet Control Message Protocol (ICMP) ( RFC 792) is another one of the main protocols of the Internet Protocol suite; it operates at the Network layer of the OSI model. ICMP is used for diagnostic and control purposes, to send error messages about IP operations, or messages about requested services or the reachability of a host or router. Network utilities such as traceroute and ping are implemented by using various ICMP messages.
ICMP is a connectionless protocol that does not open or maintain actual sessions. However, the ICMP messages between two devices can be considered a session.
Palo Alto Networks firewalls support ICMPv4 and ICMPv6. You can control ICMPv4 and ICMPv6 packets in several ways:
Create Security Policy Rules Based on ICMP and ICMPv6 Packets and select the icmp or ipv6-icmp application in the rule. Control ICMPv6 Rate Limiting when you Configure Session Settings. Use zone protection profiles to configure flood protection, specifying the rate of ICMP or ICMPv6 connections per second (not matching an existing session) that trigger an alarm, trigger the firewall to randomly drop ICMP or ICMPv6 packets, and cause the firewall to drop ICMP or ICMPv6 packets that exceed the maximum rate. Use zone protection profiles to configure packet based attack protection: For ICMP, you can drop certain types of packets or suppress the sending of certain packets. For ICMPv6 packets (Types 1, 2, 3, 4, and 137), you can specify that the firewall use the ICMP session key to match a security policy rule, which determines whether the ICMPv6 packet is allowed or not. (The firewall uses the security policy rule, overriding the default behavior of using the embedded packet to determine a session match.) When the firewall drops ICMPv6 packets that match a security policy rule, the firewall logs the details in Traffic logs.
Security Policy Rules Based on ICMP and ICMPv6 Packets
The firewall forwards ICMP or ICMPv6 packets only if a security policy rule allows the session (as the firewall does for other packet types). The firewall determines a session match in one of two ways, depending on whether the packet is an ICMP or ICMPv6 error packet or redirect packet as opposed to an ICMP or ICMPv6 informational packet:
ICMP Types 3, 5, 11, and 12 and ICMPv6 Types 1, 2, 3, 4, and 137 —The firewall by default looks up the embedded IP packet bytes of information from the original datagram that caused the error (the invoking packet). If the embedded packet matches an existing session, the firewall forwards or drops the ICMP or ICMPv6 packet according to the action specified in the security policy rule that matches that same session. (You can use zone protection profiles with packet based attack protection to override this default behavior for the ICMPv6 types.) Remaining ICMP or ICMPv6 Packet Types —The firewall treats the ICMP or ICMPv6 packet as if it belongs to a new session. If a security policy rule matches the packet (which the firewall recognizes as an icmp or ipv6-icmp session), the firewall forwards or drops the packet based on the security policy rule action. Security policy counters and traffic logs reflect the actions.
If no security policy rule matches the packet, the firewall applies its default security policy rules, which allow intrazone traffic and block interzone traffic (logging is disabled by default for these rules).
Although you can override the default rules to enable logging or change the default action, we don’t recommend you change the default behavior for a specific case because it will impact all traffic that those default rules affect. Instead, create security policy rules to control and log ICMP or ICMPv6 packets explicitly.
There are two ways to create explicit security policy rules to handle ICMP or ICMPv6 packets that are not error or redirect packets:
Create a security policy rule to allow (or deny) all ICMP or ICMPv6 packets —In the security policy rule, specify the application icmp or ipv6-icmp ; the firewall allows (or denies) all IP packets matching the ICMP protocol number (1) or ICMPv6 protocol number (58), respectively, through the firewall. Create a custom application and a security policy rule to allow (or deny) packets from or to that application —This more granular approach allows you to Control Specific ICMP or ICMPv6 Types and Codes.
ICMPv6 Rate Limiting
ICMPv6 rate limiting is a throttling mechanism to prevent flooding and DDoS attempts. The implementation employs an error packet rate and a token bucket, which work together to enable throttling and ensure that ICMPv6 packets don’t flood the network segments protected by the firewall.
First the global ICMPv6 Error Packet Rate (per sec) controls the rate at which ICMPv6 error packets are allowed through the firewall; the default is 100 packets per second; the range is 10 to 65535 packets per second. If the firewall reaches the ICMPv6 error packet rate, then the token bucket comes into play and throttling occurs, as follows.
The concept of a logical token bucket controls the rate at which ICMP messages can be transmitted. The number of tokens in the bucket is configurable, and each token represents an ICMPv6 message that can be sent. The token count is decremented each time an ICMPv6 message is sent; when the bucket reaches zero tokens, no more ICMPv6 messages can be sent until another token is added to the bucket. The default size of the token bucket is 100 tokens (packets); the range is 10 to 65535 tokens.
To change the default token bucket size or error packet rate, see the section Configure Session Settings.
Control Specific ICMP or ICMPv6 Types and Codes
Use this task to create a custom ICMP or ICMPv6 application and then create a security policy rule to allow or deny that application.
Control Specific ICMP or ICMPv6 Types and Codes
Create a custom application for ICMP or ICMPv6 message types and codes. Select Object > Applications and Add a custom application. On the Configuration tab, enter a Name for the custom application and a Description. For example, enter the name ping6. For Category, select networking. For Subcategory, select ip-protocol. For Technology, select network-protocol. Click OK. On the Advanced tab, select ICMP Type or ICMPv6 Type. For Type, enter the number (range is 0-255) that designates the ICMP or ICMPv6 message type you want to allow or deny. For example, Echo Request message (ping) is 128. If the Type includes codes, enter the Code number (range is 0-255) that applies to the Type value you want to allow or deny. Some Type values have Code 0 only. Click OK.
Create a Security policy rule that allows or denies the custom application you created. Create a Security Policy Rule. On the Application tab, specify the name of the custom application you just created.
Commit. Click Commit.

Related Documentation