Internet Control Message Protocol (ICMP) (RFC 792) is another one of the main
protocols of the Internet Protocol suite; it operates at the Network
layer of the OSI model. ICMP is used for diagnostic and control purposes,
to send error messages about IP operations, or messages about requested services
or the reachability of a host or router. Network utilities such
as traceroute and ping are implemented by using various ICMP messages.
ICMP is a connectionless protocol that does not open or maintain
actual sessions. However, the ICMP messages between two devices
can be considered a session.
Palo Alto Networks firewalls support ICMPv4 and ICMPv6. You can
control ICMPv4 and ICMPv6 packets in several ways:
Use zone protection profiles to configure flood protection,
specifying the rate of ICMP or ICMPv6 connections per second (not
matching an existing session) that trigger an alarm, trigger the
firewall to randomly drop ICMP or ICMPv6 packets, and cause the
firewall to drop ICMP or ICMPv6 packets that exceed the maximum
Use zone protection profiles to configure packet based attack
For ICMP, you can drop certain types of
packets or suppress the sending of certain packets.
For ICMPv6 packets (Types 1, 2, 3, 4, and 137), you can specify
that the firewall use the ICMP session key to match a security policy
rule, which determines whether the ICMPv6 packet is allowed or not.
(The firewall uses the security policy rule, overriding the default
behavior of using the embedded packet to determine a session match.)
When the firewall drops ICMPv6 packets that match a security policy
rule, the firewall logs the details in Traffic logs.