Security Policy to Allow/Deny a Certain ICMP Type

Security Policy to Allow/Deny a Certain ICMP Type

142862
Created On 09/25/18 17:27 PM - Last Modified 10/24/25 08:28 AM


Symptom


Overview

There are cases where only a specific  Internet Control Message Protocol (ICMP) type should be allowed, instead of allowing all ICMP types. ICMP is used as a network diagnostic tool, and is classified into two main categories based upon its functionality:

 

  • Error-Reporting Messages (Types 3,4,5,11,12) - The error reporting messages report problems that a router or a destination host may encounter when it tries to process an IP packet.
  • Query Messages (Type 0,8,13,14) - The query messages, which occur in pairs, help a host or a network manager get specific information from a router or another host.

Environment


  • Palo Alto Firewalls
  • Any PanOS
  • Appid

Cause


The error reporting messages are good for admins because they can diagnose the network based on this information. However, with the help of query messages, there is a good chance that even a hacker can obtain potentially valuable information from the network. There must be a mechanism to allow ICMP types that are useful, and to deny the ones that cause harm. At the application layer, identification is based on the Application ICMP, not on the codes; however, the Palo Alto Networks firewall has a mechanism to allow or deny specific ICMP types.

  • Note :
    • This document does not apply to ICMP Error-Reporting Messages, as the Error-reporting messages will match the session of the embedded original packet and will be allowed.
    • Please refer to the document I've included below to understand how to block ICMP Error Reporting Messages.
      HOW TO ALLOW/BLOCK ICMP ERROR REPORTING PACKETS

Resolution


    For example, to allow only ICMP echo requests but deny the rest of ICMP traffic, create a custom app for the ICMP traffic based on the ICMP packet type (8). For this kind of custom application, it is not necessary to create an application override policy as in the case of TCP/UDP traffic.

     

    • To block specific ICMP type messages, create a custom application for each type:
    1. Go to Objects > Applications > Add and create a custom name (for this scenario, Block Type 13, ICMP-timestamp ) and specify a category:
    2. Go to Advanced, click ICMP Type, and specify the required types separated by commas:
    3. One might want to add a custom signature in the signature tab:
      1.  Click on > ADD or Condition
      2. Add the below values:
        1. Operator: Equal To
        2. Context: icmp-req-type
        3. Value: 13
    4. Save the application and add it to a deny policy (shown in example), placed on the top of Policies from any-to-any zone, so all the traffic denies this application:

      To block ICMP Type 8, then apply it to the policy needed:
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFZCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language