Changes in Default Behavior for ICMP Traffic Handling in Prisma Access
Agent
Starting with Prisma Access Agent version 25.4, the default behavior for ICMP
traffic has changed, and you should be aware of this change when planning your
upgrade strategy.
In previous versions of Prisma Access Agent (< 25.4), ICMP traffic was blocked
by default. However, with Prisma Access Agent version 25.4, ICMP traffic is now
allowed direct by default.
With Strata Cloud Manager R4, you gain granular control over this behavior
through new configuration options. You can use Block Non-TCP and
Non-UDP based traffic when connected to tunnel to block all
non-TCP and non-UDP traffic. When you select this option, an additional setting
Allow ICMP for troubleshooting becomes available,
giving you control over ICMP traffic specifically while other non-TCP or non-UDP
traffic remains blocked.
To maintain control over ICMP traffic behavior, you should follow a specific
upgrade sequence:
- Upgrade Strata Cloud Manager to R4.
- Configure the Block Non-TCP and Non-UDP based traffic when
connected to tunnel and Allow ICMP for
troubleshooting in the Forwarding Profiles Setup in Strata
Cloud Manager to match the desired behavior.
- Upgrade Prisma Access Agent to version 25.4.
This sequence ensures you have the configuration options available before the
agent behavior changes, enabling you to block ICMP traffic if your security
policies require it.
This change provides you with broader flexibility and control over all non-TCP
and non-UDP traffic. Once you have fully upgraded to both Strata Cloud Manager
R4 and Prisma Access Agent 25.4, you can block non-TCP and non-UDP traffic and
independently control ICMP traffic based on your operational needs. When you
choose to block non-TCP and non-UDP traffic, you still have the option to
selectively allow ICMP for troubleshooting purposes.
Review your current security policies regarding ICMP traffic and plan your
upgrade strategy to ensure continuity with your organization's requirements.