topic Re: Limit ICMP in Firewall and Security Management

Limit ICMP

DanielJavier — Fri, 30 May 2025 17:55:25 GMT

Hi guys

Some firewall settings may cause a certain packet size to not pass through the ping.
for example:
Ping 8.8.8.8 -l 1000 Passes
Ping 8.8.8.8 -l 4000 Does not pass

I've attached a test image.

Re: Limit ICMP

Duane_Toler — Fri, 30 May 2025 18:07:27 GMT

#WorksForMe 😕

Re: Limit ICMP

Lloyd_Braun — Fri, 30 May 2025 20:35:34 GMT

check your IPS core protections for "max ping size" - I am seeing a default of 2500 bytes if it is enabled.

Re: Limit ICMP

Duane_Toler — Fri, 30 May 2025 20:37:28 GMT

Oh, that's different. 😆 I thought you were trying to report some other issue.

Re: Limit ICMP

Lloyd_Braun — Fri, 30 May 2025 20:47:15 GMT

😁

Re: Limit ICMP

Timothy_Hall — Sat, 31 May 2025 19:21:01 GMT

There are actually two protections that can limit the size of pings:

Core Activation: Large Ping Size (default limit 2500 bytes)
ThreatCloud Protection: Max Ping Echo Reply Size (default limit 512 bytes)

To make things even more confusing the first is one of the fixed 39 Core Activations, while the other one is part of the much more numerous (and always growing) ThreatCloud Protections. The main thing to watch out for is they are controlled by their own profiles and exceptions, so adding a standard Threat Prevention exception will only apply to the second protection and not the first. Core Activations have their own separate set of exceptions (and better yet so do the 146 Inspection Settings).

The differences between working with Core Activations vs. IPS ThreatCloud protections is a major source of confusion, and nicely covered by the Check Point Threat Prevention Specialist (CTPS) course available from ATCs worldwide.

Re: Limit ICMP

jimm — Tue, 17 Mar 2026 05:44:28 GMT

Regarding the two IPS protections:

Core Activation: Large Ping Size (default limit 2500 bytes)
ThreatCloud Protection: Max Ping Echo Reply Size (default limit 512 bytes)

A client's recent pentest report recommended setting the maximum ping size to 64 bytes. I am concerned that this may break valid traffic. Should i be concerned?

Re: Limit ICMP

Timothy_Hall — Tue, 17 Mar 2026 12:42:19 GMT

A typical ping packet has 32 payload bytes, plus 8 bytes of ICMP header, for a total of 40 bytes, then another 20 bytes for the IP header, and another 14 bytes or so for the Ethernet header. I'm assuming the Protection limit is for the ICMP portion (40 bytes by default).

I actually like sending large pings as they tend to aggravate packet loss issues and make them a little easier to see:

Gaia/Linux: ping -s 1400 129.82.102.32
Windows: ping -l 1400 129.82.102.32

I can't think of any scenario where ping packets larger than standard would be used other than the above.

Re: Limit ICMP

Duane_Toler — Tue, 17 Mar 2026 13:13:20 GMT

You will affect some hosts that try to do Path MTU discovery with ICMP (by sending giant ping packets), but they will still work unless they also switch to other methods such as TCP. There are other (more proper) ways to do PMTU discovery, and giant ICMP packets aren't the best, but some firmware programmers never seemed to understand that.

You'll know who they are when you see IPS Prevent logs for ICMP. At that point, you can decide if you want to create exceptions for them or not. You won't destroy their ability to function, but you will generate more logs.

Re: Limit ICMP

jimm — Wed, 18 Mar 2026 00:54:16 GMT

Thank you for the replies. Looking at the settings, i cannot see where to change the max ping size from its default value. Where can i adjust that?

Re: Limit ICMP

Duane_Toler — Wed, 18 Mar 2026 01:46:43 GMT

It's in the list of IPS Protections. Here's the configuration you want:

Select and edit the protection item:

Set it to Accept for your profile, if it's not already:

Edit the Advanced section and enter the max number of bytes you want: