How do I allow ping on Access Control?
Under - Users > Resource Policies > VPN Tunneling > Access Control
I have the option to allow all icmp using the syntax of "icmp://*:*" but I want to limit access to only ping (icmp type 8 echo and type 0 echo reply) and prevent all other types (traceroute etc.)
Here are the examples from the system which are quite limited in number and type...
Here is a list of ICMP Types - copied from: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
|4||Source Quench (Deprecated)||[RFC792][RFC6633]|
|6||Alternate Host Address (Deprecated)||[RFC6918]|
|15||Information Request (Deprecated)||[RFC792][RFC6918]|
|16||Information Reply (Deprecated)||[RFC792][RFC6918]|
|17||Address Mask Request (Deprecated)||[RFC950][RFC6918]|
|18||Address Mask Reply (Deprecated)||[RFC950][RFC6918]|
|19||Reserved (for Security)||[Solo]|
|20-29||Reserved (for Robustness Experiment)||[ZSu]|
|31||Datagram Conversion Error (Deprecated)||[RFC1475][RFC6918]|
|32||Mobile Host Redirect (Deprecated)||[David_Johnson][RFC6918]|
|33||IPv6 Where-Are-You (Deprecated)||[Simpson][RFC6918]|
|34||IPv6 I-Am-Here (Deprecated)||[Simpson][RFC6918]|
|35||Mobile Registration Request (Deprecated)||[Simpson][RFC6918]|
|36||Mobile Registration Reply (Deprecated)||[Simpson][RFC6918]|
|37||Domain Name Request (Deprecated)||[RFC1788][RFC6918]|
|38||Domain Name Reply (Deprecated)||[RFC1788][RFC6918]|
|41||ICMP messages utilized by experimental mobility protocols such as Seamoby||[RFC4065]|
|253||RFC3692-style Experiment 1||[RFC4727]|
|254||RFC3692-style Experiment 2||[RFC4727]|
Out of curiosity, what's the problem being resolved by allowing PING through to all internal addresses?
(seriously, not trying to troll, just curious on the "why" part)
Like Cameron, we also have a rule allowing all ICMP to our networks. In our case is because the lack of logging in SA regarding L3 connectivity. So with this, we guarantee if one machine doesn't ping, the connectivity problem it is not in SA, but somewhere in the network, which saves some time in troubleshooting. The other side of the coin, is to open attack vector to our network. I also would like to close the ICMP to some codes and not all open.
Yes, we want to restrict the ICMP to the Ping (ICMP type:8, code:0). From security point of view this could be a good idea.
To restrict the ICMP service in a firewall is quite commen.
Still the same question is this also possible in the Appliance ?