cancel
Showing results for 
Search instead for 
Did you mean: 

How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Cameron1_
Not applicable

How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

How do I allow ping on Access Control?

 

Under - Users > Resource Policies > VPN Tunneling > Access Control

 

I have the option to allow all icmp using the syntax of "icmp://*:*" but I want to limit access to only ping (icmp type 8 echo and type 0 echo reply) and prevent all other types (traceroute etc.) 

 

SA4500_ICMP_RULE.png

 

 

Here are the examples from the system which are quite limited in number and type...

Examples:
tcp://*:1-1024
tcp://*:80,443
udp://10.10.10.0/24:*
icmp://10.10.10.10/255.255.255.255
10.10.10.0/24

 

 

Here is a list of ICMP Types - copied from: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

Type Name Reference
0 Echo Reply [RFC792]
1 Unassigned  
2 Unassigned  
3 Destination Unreachable [RFC792]
4 Source Quench (Deprecated) [RFC792][RFC6633]
5 Redirect [RFC792]
6 Alternate Host Address (Deprecated) [RFC6918]
7 Unassigned  
8 Echo [RFC792]
9 Router Advertisement [RFC1256]
10 Router Solicitation [RFC1256]
11 Time Exceeded [RFC792]
12 Parameter Problem [RFC792]
13 Timestamp [RFC792]
14 Timestamp Reply [RFC792]
15 Information Request (Deprecated) [RFC792][RFC6918]
16 Information Reply (Deprecated) [RFC792][RFC6918]
17 Address Mask Request (Deprecated) [RFC950][RFC6918]
18 Address Mask Reply (Deprecated) [RFC950][RFC6918]
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute (Deprecated) [RFC1393][RFC6918]
31 Datagram Conversion Error (Deprecated) [RFC1475][RFC6918]
32 Mobile Host Redirect (Deprecated) [David_Johnson][RFC6918]
33 IPv6 Where-Are-You (Deprecated) [Simpson][RFC6918]
34 IPv6 I-Am-Here (Deprecated) [Simpson][RFC6918]
35 Mobile Registration Request (Deprecated) [Simpson][RFC6918]
36 Mobile Registration Reply (Deprecated) [Simpson][RFC6918]
37 Domain Name Request (Deprecated) [RFC1788][RFC6918]
38 Domain Name Reply (Deprecated) [RFC1788][RFC6918]
39 SKIP (Deprecated) [Markson][RFC6918]
40 Photuris [RFC2521]
41 ICMP messages utilized by experimental mobility protocols such as Seamoby [RFC4065]
42-252 Unassigned  
253 RFC3692-style Experiment 1 [RFC4727]
254 RFC3692-style Experiment 2 [RFC4727]
255 Reserved [JBP]

 

4 REPLIES 4
Dirk01_
New Contributor

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Same issue here, do you got in the meantime a solution ?

 

CaseyH_
Contributor

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Out of curiosity, what's the problem being resolved by allowing PING through to all internal addresses?

 

(seriously, not trying to troll, just curious on the "why" part)

 

 

flip_pipe_
Frequent Contributor

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Hi,

 

Like Cameron, we also have a rule allowing all ICMP to our networks. In our case is because the lack of logging in SA regarding L3 connectivity. So with this, we guarantee if one machine doesn't ping, the connectivity problem it is not in SA, but somewhere in the network, which saves some time in troubleshooting. The other side of the coin, is to open attack vector to our network. I also would like to close the ICMP to some codes and not all open.

 

Regards,

Dirk01_
New Contributor

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Yes, we want to restrict the ICMP to the Ping (ICMP type:8, code:0). From security point of view this could be a good idea.

To restrict the ICMP service in a firewall is quite commen.

Still the same question is this also possible in the Appliance ?