DotW: Send ICMP Unreachable

DotW: Send ICMP Unreachable

20474
Created On 09/25/18 19:22 PM - Last Modified 06/08/23 02:40 AM


Resolution


 

63507-dotw.png 

In this week's Discussion of the Week, user 'PanIst' had a question about what the purpose is of the "Send ICMP Unreachable" checkbox that appeared in the policy action tab in PAN-OS 7.0.

63507-1.png

 

 

To highlight the purpose of this feature, I'll show the functionality of a couple new actions available in PAN-OS 7.0. These newly added actions allow for more control over the response provided by the Palo Alto Networks firewall to a session that hits a "negative" action security policy.

 

The "Drop" action will silently discard all packets once it determines a session is unwanted, this will leave the client in the dark about what happened to the session and could lead to some user frustration as the client may keep loading for a good time before timing out. This is the default action applied to all implied policies, and was the only option available prior to PAN-OS 7.0 to block traffic.

63507-2.png

 

 

As you can see in the packet capture output below, the client sends out packets (ping and web-browsing), which in my example the configurations are dropped. ICMP never gets a response, and web-browsing is dropped as soon as App-ID detects it is genuine web traffic. The web browser is unaware it was blocked and keeps resending its last packet, keeping the user waiting.

drop.png

 

The "Deny" and "Reset" actions can send a reset packet to the client (and if desired the server). An error message can be displayed, or the session can be terminated graciously, informing the user about the disconnect. However, this action can only be applied to TCP sessions.

 


In the packet capture output below, the HTTP session is ended with a reset packet and the browser will display an error message informing the user the website is unreachable.

63507-4.png

 

 

To accommodate UDP or ICMP sessions, a ICMP Unreachable message (ICMP type 3 code 13) can be sent to inform the client a session is not allowed, which can greatly improve the user experience.

63507-5.png

 

 

Typically, this type of "active" rejection of traffic will only be applied to well known traffic originating from the internal user network or subnets, (this is where certain chatty protocols reside and can be beneficial for user experience or prevent continuous retries from an application).

For traffic originating from an untrusted network, it is always recommended to obscure and delay as much as possible thus "drop" is the recommended (and default) action.

63507-6.png

 

 

To view the discussion, reference the following link: Send ICMP Unreachable panos7

 

All comments or suggestions are encouraged.

Thanks for reading,

 

Tom Piens
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClX8CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language