This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jesus_Cano
Collaborator
‎2019-02-20 12:50 AM

Permit ICMP request only in several networks

For security reasons, I have disabled the "Accept ICMP request" box in the global properties of a cluster checkpoint 5400 version R77.30.
The case is that a client / server application needs this traffic through a VPN.
Can this traffic be enabled safely only for certain networks?

thanks

0 Kudos
5 Replies
Maarten_Sjouw
Champion
Champion
‎2019-02-20 05:06 AM

Most of the time all they need is Echo-Request, the reply is part of the standard statefull inspection so does not need to be added. You can just add that service to a rule allowing the traffic back and forth.

Regards, Maarten
0 Kudos
Jesus_Cano
Collaborator
‎2019-02-20 07:25 AM
In response to Maarten_Sjouw

What I want to know is if we can enable this feaure in policy -> global properties -> accept ICMP without compromising security by restricting the traffic allowed only to the source IPs of the VPN

0 Kudos
Jesus_Cano
Collaborator
‎2019-02-20 07:32 AM
In response to Jesus_Cano

Basically, we want to know if we can to enable the ACCEPT ICMP in global properties, keeping or restric some IPs into a VPN.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-20 08:14 AM
In response to Jesus_Cano

When you enable it in the global properties, and do it as Before last, you can still apply a drop rule for specific networks, but to be honest I don't like the things that apply to all traffic, to be enabled on a global level. I rather be specific on allowing Ping. We see a lot of times that ICMP as a protocol has been allowed, which is not really what you want. There are to many ICMP items that can be used maliciously.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-22 08:59 PM

They are called Global Properties for a reason. Smiley Happy

Exceptions one way or the other need explicit rules.

Is there a specific reason you want to use Global Properties and not an explicit rule?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events