This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DanielJavier
Participant
‎2025-05-30 10:55 AM

Limit ICMP


Hi guys

Some firewall settings may cause a certain packet size to not pass through the ping.
for example:
Ping 8.8.8.8 -l 1000 Passes
Ping 8.8.8.8 -l 4000 Does not pass

I've attached a test image.Ping.PNG

0 Kudos
10 Replies
Duane_Toler
MVP Silver
MVP Silver
‎2025-05-30 11:07 AM

#WorksForMe 😕

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
Preview file
190 KB
0 Kudos
Lloyd_Braun
Advisor
‎2025-05-30 01:35 PM

check your IPS core protections for "max ping size" - I am seeing a default of 2500 bytes if it is enabled.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-05-30 01:37 PM
In response to Lloyd_Braun

Oh, that's different. 😆  I thought you were trying to report some other issue.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Lloyd_Braun
Advisor
‎2025-05-30 01:47 PM
In response to Duane_Toler

4fakj6

😁

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-05-31 12:21 PM

There are actually two protections that can limit the size of pings:

  • Core Activation: Large Ping Size (default limit 2500 bytes)
  • ThreatCloud Protection: Max Ping Echo Reply Size (default limit 512 bytes)

To make things even more confusing the first is one of the fixed 39 Core Activations, while the other one is part of the much more numerous (and always growing) ThreatCloud Protections.  The main thing to watch out for is they are controlled by their own profiles and exceptions, so adding a standard Threat Prevention exception will only apply to the second protection and not the first.  Core Activations have their own separate set of exceptions (and better yet so do the 146 Inspection Settings).

The differences between working with Core Activations vs. IPS ThreatCloud protections is a major source of confusion, and nicely covered by the Check Point Threat Prevention Specialist (CTPS) course available from ATCs worldwide.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
jimm
Participant
Monday
In response to Timothy_Hall

Regarding the two IPS protections:

  • Core Activation: Large Ping Size (default limit 2500 bytes)
  • ThreatCloud Protection: Max Ping Echo Reply Size (default limit 512 bytes)

A client's recent pentest report recommended setting the maximum ping size to 64 bytes. I am concerned that this may break valid traffic. Should i be concerned? 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
yesterday
In response to jimm

A typical ping packet has 32 payload bytes, plus 8 bytes of ICMP header, for a total of 40 bytes, then another 20 bytes for the IP header, and another 14 bytes or so for the Ethernet header.  I'm assuming the Protection limit is for the ICMP portion (40 bytes by default).

I actually like sending large pings as they tend to aggravate packet loss issues and make them a little easier to see:

Gaia/Linux: ping -s 1400 129.82.102.32
Windows: ping -l 1400 129.82.102.32

I can't think of any scenario where ping packets larger than standard would be used other than the above.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to jimm

You will affect some hosts that try to do Path MTU discovery with ICMP (by sending giant ping packets), but they will still work unless they also switch to other methods such as TCP.  There are other (more proper) ways to do PMTU discovery, and giant ICMP packets aren't the best, but some firmware programmers never seemed to understand that.

You'll know who they are when you see IPS Prevent logs for ICMP.  At that point, you can decide if you want to create exceptions for them or not.  You won't destroy their ability to function, but you will generate more logs.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
jimm
Participant
yesterday
In response to Duane_Toler

Thank you for the replies. Looking at the settings, i cannot see where to change the max ping size from its default value. Where can i adjust that?

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to jimm

It's in the list of IPS Protections.  Here's the configuration you want:

 Select and edit the protection item:

Screenshot 2026-03-17 at 9.44.40 PM.png

Set it to Accept for your profile, if it's not already:

Screenshot 2026-03-17 at 9.44.59 PM.png

Edit the Advanced section and enter the max number of bytes you want:

Screenshot 2026-03-17 at 9.45.07 PM.png

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events