How to Allow/Block ICMP Error reporting Packets

How to Allow/Block ICMP Error reporting Packets

3374
Created On 08/19/21 08:30 AM - Last Modified 08/25/21 01:24 AM


Objective
The document explains the options available to block or allow ICMP Error Code packets.
To block ICMP Query packets please refer the below article.
SECURITY POLICY TO ALLOW/DENY A CERTAIN ICMP TYPE

ICMP Error reporting packets use Type 3,4,5,11,12.
ICMP Query Packets use Type 0,8,13,14.

These packets have the actual packet embedded in them for which the error is being reported.
User-added image

Note : If solution from Scenario 1 is implemented, all the ICMP Error Reporting packets will be dropped. Hence there is no benefit in using both solutions together. 
Example :
If there is a TCP SYN packet is received on a L3 device(router/firewall) and does not have any way to forward it, it would generate a ICMP Type 3 packet
Also it will encapsulate the TCP SYN packet inside it.
Then Send this ICMP Error reporting packet back to the source. 

Scenario 1 : (For ICMP Error Reporting Packets with associated sessions)
If associated session exists:
  1. The TCP SYN Packet passed through the PA Firewall. 
  2. Then Next hop sent back an ICMP Error reporting packet (Destination Unreachable)
  3. PA firewall will check the inner encapsulated packet and try to find a session. 
  4. Since the TCP SYN packet will already have created a session, this ICMP Error packet will match that session.
  5. The ICMP Error reporting packet cannot be blocked using Security Policy in this case. Zone Protection Profile will have to be used as described below.
  6. Please note that in this method, all ICMP Error Reporting types will be blocked and it is not possible to choose the Type. 

Scenario 2 : (For ICMP Error Reporting Packets with no associated sessions)
If associated session does not exist:
  1. The TCP SYN packet did not go through the firewall or the session has already been closed.
  2. There is a ICMP ERROR packet received by the PA firewall. 
  3. Since there is no associated session present on the firewall, a new ICMP session will be created for this ICMP Error reporting packet.
  4. This packet can be blocked using a Custom Application with Signature and Security Policy.


Environment
PA firewall with Any PANOS
 


Procedure
Blocking ICMP ERROR REPORTING packet in Scenario 1 :  
Security policy cannot be used to block the packet because the ICMP ERROR packet will match the associated session of the Inner packet and will be forwarded on the same session.
Hence if all ICMP Error reporting packets have to be blocked, the only way to do it is using Zone Protection Profile. 
1. Configure a zone protection profile. 
Network > Network Profiles > Zone Protection > Add > <Name>


User-added image


Packet Based Attack Protection > ICMP Drop > Discard ICMP embedded with error message (Enable) > OK


User-added image

2. Configure this Zone Protection profile on the security zone
Network > Zones > Choose the Zone > Zone Protection Profile > Choose the Profile configured above


User-added image
Then commit the configuration. 

Blocking ICMP ERROR REPORTING packet in Scenario 2.
Create a custom application for ICMP-Error-Code
1. Objects > Applications > Add > Name : ICMP-Error-Code
2. Choose 
    Category : Networking
    Subcategory : Routing 
    Technology : Network-Protocol


User-added image

3. Advanced > ICMP Type > Type 3,4,5,11,12


User-added image

Repeat the Steps 4 and 5 for each value in 3,4,5,11,12
4. Signatures > Signature Name > Error-Code-sig > Add OR Condition
    Operator : Equal To
    Context : icmp-rsp-type
    Value : 3

User-added image


User-added image

5. Click OK 

6. Once Signature for all values in  3,4,5,11,12 are added then click OK

User-added image

7. Configure a security policy with needed parameter and Applications > Add  ICMP-Error-Code

User-added image

8. Set Action of this Security Policy to Drop or Allow

User-added image

9. Move the Policy to the Top and commit.


Verification :
Scenario 1 : (using zone protection)
The below global counter will start incrementing once packets are dropped due to the setting. 
> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 33.725 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------

flow_dos_pf_icmperr                        5        0 drop      flow      dos       Packets dropped: Zone protection option 'discard-icmp-error'


Scenario 2 : (Using Custom Application Signature)
Check the sessions log to see if the application override is getting applied in case of security policy being set to allow. 
The Application should show as ICMP-Error-Code
admin@PA5260(active-primary)> show session all filter source 10.10.10.2

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])Vsys
                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
17           ICMP-Error-Code ACTIVE  FLOW       10.10.10.2[3]/untrust/1  (10.10.10.2[3])
vsys1                                          10.3.1.146[1]/trust  (10.3.1.146[1])



The traffic logs can be checked to see if there are Allowed or Denied packets based on the Policy name.

User-added image


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMQp&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments