Unknown ICMP traffic originating from PAN firewall interface

Unknown ICMP traffic originating from PAN firewall interface

2840
Created On 06/27/23 08:03 AM - Last Modified 08/26/25 02:58 AM


Symptom


  • In traffic logs, seeing "ICMP" application traffic where the source address is the same as the firewall's layer 3 interface IP address
  • Packet capture shows ICMP Type 3 (Destination Unreachable), Code 13 (Communication administratively filtered) packets.

Environment


  • Palo Alto Networks Firewalls
  • All PAN-OS versions
  • Security Rule (Actions)

Cause


  • ICMP Type 3 (Destination Unreachable), Code 13 (Communication administratively filtered) means the connection is administratively prohibited. In other words, traffic is blocked by security rules/ACL.
  • PAN firewalls sends such packets when there is a security rule with Action: DROP and configured to Send ICMP Unreachable
kb2.png
 
 

Resolution


  1. Uncheck "Send ICMP Unreachable" option on relevant security policy to stop firewall from sending such ICMP messages.
  2. By default, this option is disabled.
  3. The option of "Send ICMP Unreachable" option is available only for Layer 3 interfaces.
 

Additional Information


  • When a Security Policy is configured to drop traffic or reset, the traffic does not reach the destination
  • In such cases the traffic of udp/tcp etc is dropped
  • " Send ICMP Unreachable" can be enabled the firewall to send an ICMP Unreachable response to the source IP address from where the traffic originated
  • Enabling this setting allows the source to gracefully close or clear the session,  preventing applications from breaking.
  • More on security rule actions: Configurable Deny Action
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bqB1CAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail