ICMP
Internet Control Message Protocol (ICMP) (
RFC 792) is another one of the main
protocols of the Internet Protocol suite; it operates at the Network
layer of the OSI model. ICMP is used for diagnostic and control purposes,
to send error messages about IP operations, or messages about requested services
or the reachability of a host or router. Network utilities such
as traceroute and ping are implemented by using various ICMP messages.
ICMP is a connectionless protocol that does not open or maintain
actual sessions. However, the ICMP messages between two devices
can be considered a session.
Palo Alto Networks firewalls support ICMPv4 and ICMPv6. You can
control ICMPv4 and ICMPv6 packets in several ways:
Use
Zone Protection Profiles to
configure flood protection, specifying the rate of ICMP or ICMPv6
connections per second (not matching an existing session) that trigger
an alarm, trigger the firewall to randomly drop ICMP or ICMPv6 packets,
and cause the firewall to drop ICMP or ICMPv6 packets that exceed
the maximum rate.
For ICMP,
you can drop certain types of packets or suppress the sending of certain
packets.
For ICMPv6 packets (Types 1, 2, 3, 4, and 137), you can specify
that the firewall use the ICMP session key to match a security policy
rule, which determines whether the ICMPv6 packet is allowed or not.
(The firewall uses the security policy rule, overriding the default
behavior of using the embedded packet to determine a session match.)
When the firewall drops ICMPv6 packets that match a security policy
rule, the firewall logs the details in Traffic logs.