Security Policy to Allow/Deny a Certain ICMP Type
Resolution
Overview
There are cases where only a specific Internet Control Message Protocol (ICMP) type should be allowed, instead of allowing all ICMP types. ICMP is used as a network diagnostic tool, and is classified into two main categories based upon its functionality:
- Error-Reporting Messages (Type 3,4,5,11,12) - The error reporting messages reports problems that a router or a destination host may encounter when it tries to process an IP packet.
- Query Messages (Type 0,8,13,14) - The query messages, which occur in pairs, help a host or a network manager get specific information from a router or another host.
The error reporting messages are good for admins, because they can diagnose the network based upon this information. However, with the help of query messages, there is a good chance that even a hacker can obtain potential information from the network. There must be a mechanism to allow ICMP types that are useful, and to deny the ones that cause harm. At the application layer, identification is based on the Application ICMP and not based upon the codes, however, the Palo Alto Networks firewall has a mechanism to allow or deny specific ICMP types.
Note :
This document does not apply for ICMP Error-Reporting Messages as the Error reporting messages will match the session of the embedded original packet and will be allowed.
Refer the below document to understand how to block ICMP Error Reporting Messages.
HOW TO ALLOW/BLOCK ICMP ERROR REPORTING PACKETS
Resolution
For example, to allow only ICMP echo requests but deny the rest of ICMP traffic, create a custom app for the ICMP traffic based on the ICMP packet type (8). For this kind of custom application, it is not necessary to create an application override policy as in the case of tcp/udp traffic.
To block specific ICMP type messages, create a custom application for each type:
- Go to Objects > Applications > Add and create a custom name (for this scenario, Block Type 13 Messages was used) and specify a category:
- Go to Advanced, click ICMP Type, and specify the required types separated by commas:
- Save the application and name it a deny policy (shown in example), placed on the top of Policies from any-to-any zone so all the traffic denies this application:
To block ICMP Type 8:
The custom application can then be applied in a security policy.
owner: ymiyashita