ICMP Types 3, 5, 11, and 12 and ICMPv6 Types 1, 2,
3, 4, and 137—The firewall by default looks up the embedded
IP packet bytes of information from the original datagram that caused
the error (the invoking packet). If the embedded packet matches
an existing session, the firewall forwards or drops the ICMP or
ICMPv6 packet according to the action specified in the security policy
rule that matches that same session. (You can use
Zone Protection Profiles with
packet based attack protection to override this default behavior
for the ICMPv6 types.)