https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34520#M7260 <HTML><HEAD></HEAD><BODY><P>They are called Global Properties for a reason. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>Exceptions one way or the other need explicit rules.</P><P>Is there a specific reason you want to use Global Properties and not an explicit rule?</P></BODY></HTML> Sat, 23 Feb 2019 04:59:03 GMT PhoneBoy 2019-02-23T04:59:03Z https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34515#M7255 <HTML><HEAD></HEAD><BODY><P>For security reasons, I have disabled the "Accept ICMP request" box in the global properties of a cluster checkpoint 5400 version R77.30.<BR />The case is that a client / server application needs this traffic through a VPN.<BR />Can this traffic be enabled safely only for certain networks?</P><P></P><P>thanks</P></BODY></HTML> Wed, 20 Feb 2019 08:50:31 GMT https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34515#M7255 Jesus_Cano 2019-02-20T08:50:31Z https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34516#M7256 <HTML><HEAD></HEAD><BODY><P>Most of the time all they need is Echo-Request, the reply is part of the standard statefull inspection so does not need to be added. You can just add that service to a rule allowing the traffic back and forth.</P></BODY></HTML> Wed, 20 Feb 2019 13:06:16 GMT https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34516#M7256 Maarten_Sjouw 2019-02-20T13:06:16Z https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34517#M7257 <HTML><HEAD></HEAD><BODY><P>What I want to know is if we can enable this feaure in policy -&gt; global properties -&gt; accept ICMP without compromising security by restricting the traffic allowed only to the source IPs of the VPN</P></BODY></HTML> Wed, 20 Feb 2019 15:25:04 GMT https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34517#M7257 Jesus_Cano 2019-02-20T15:25:04Z https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34518#M7258 <HTML><HEAD></HEAD><BODY><P>Basically, we want to know if we can to enable the ACCEPT ICMP in global properties, keeping or restric some IPs into a VPN.</P></BODY></HTML> Wed, 20 Feb 2019 15:32:43 GMT https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34518#M7258 Jesus_Cano 2019-02-20T15:32:43Z https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34519#M7259 <HTML><HEAD></HEAD><BODY><P>When you enable it in the global properties, and do it as Before last, you can still apply a drop rule for specific networks, but to be honest I don't like the things that apply to all traffic, to be enabled on a global level. I rather be specific on allowing Ping. We see a lot of times that ICMP as a protocol has been allowed, which is not really what you want. There are to many ICMP items that can be used maliciously.</P></BODY></HTML> Wed, 20 Feb 2019 16:14:12 GMT https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34519#M7259 Maarten_Sjouw 2019-02-20T16:14:12Z https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34520#M7260 <HTML><HEAD></HEAD><BODY><P>They are called Global Properties for a reason. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>Exceptions one way or the other need explicit rules.</P><P>Is there a specific reason you want to use Global Properties and not an explicit rule?</P></BODY></HTML> Sat, 23 Feb 2019 04:59:03 GMT https://community.checkpoint.com/t5/General-Topics/Permit-ICMP-request-only-in-several-networks/m-p/34520#M7260 PhoneBoy 2019-02-23T04:59:03Z