Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jesus_Cano
Collaborator

Permit ICMP request only in several networks

For security reasons, I have disabled the "Accept ICMP request" box in the global properties of a cluster checkpoint 5400 version R77.30.
The case is that a client / server application needs this traffic through a VPN.
Can this traffic be enabled safely only for certain networks?

thanks

0 Kudos
5 Replies
Maarten_Sjouw
Champion
Champion

Most of the time all they need is Echo-Request, the reply is part of the standard statefull inspection so does not need to be added. You can just add that service to a rule allowing the traffic back and forth.

Regards, Maarten
0 Kudos
Jesus_Cano
Collaborator

What I want to know is if we can enable this feaure in policy -> global properties -> accept ICMP without compromising security by restricting the traffic allowed only to the source IPs of the VPN

0 Kudos
Jesus_Cano
Collaborator

Basically, we want to know if we can to enable the ACCEPT ICMP in global properties, keeping or restric some IPs into a VPN.

0 Kudos
Maarten_Sjouw
Champion
Champion

When you enable it in the global properties, and do it as Before last, you can still apply a drop rule for specific networks, but to be honest I don't like the things that apply to all traffic, to be enabled on a global level. I rather be specific on allowing Ping. We see a lot of times that ICMP as a protocol has been allowed, which is not really what you want. There are to many ICMP items that can be used maliciously.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin

They are called Global Properties for a reason. Smiley Happy

Exceptions one way or the other need explicit rules.

Is there a specific reason you want to use Global Properties and not an explicit rule?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events