Skip to main content

Security Policy Guide 24.2.20 and 24.2.10

ICMP Services

ICMP can be added as a service and used in rules to write granular inbound or outbound policy for ICMP. ICMP is usually used for traceroute and path MTU discovery.

You can export ICMP traffic in JSON, CEF, or LEEF format.

Note

When these services are blocked, they do not appear in the Blocked Traffic list and the connection is dropped silently.

ICMP types/codes (such as 0 ICMP or 3/2 ICMP) are supported. The ICMP range is from 0 to 255.

The following table describes the correct format for each type of supported ICMP rule:

Example

Format

Meaning in Rule

ICMP (on a new line)

Protocol name only

Allow all ICMP traffic

3 ICMP

Type = 3

Protocol name = ICMP

All ICMP traffic of type 3 (Destination Unreachable) is allowed regardless of the code used in the rule.

3/6 ICMP

Type = 3

Code = 6

Protocol name = ICMP

Only type 3 and code 6 ICMP traffic is allowed.

3 ICMP, 6 ICMP

Type 3 of ICMP,

Type 6 of ICMP

Tip

Use this format to add as many types as you need.

Only type 3 and type 6 ICMP traffic is allowed regardless of the code used in the rule.

ICMP traffic is displayed in Explorer, similar to TCP/UDP traffic. From the 19.1.0 release on, you can see ICMP traffic flows in Illumination and the App Groups Map. You can choose to conceal them by using the filter in Illumination.

You can also create and update services that use the ICMP protocol using the Illumio Core REST API. See Services in REST API Developer Guide for information about using the REST API to create services.

Caveats

  • ICMP is not supported for virtual services.

  • When an ICMP service is used in a rule, all ICMP types are allowed; however, granular control and specific multicast addresses are not supported.

  • When you enable IPv6 on Windows VENs, IPv6 system rules are not propagated to those VENs. You need to write security rules to ensure robust IPv6 functionality. The ICMPv6 types that are required in those rules are as follows:

    ICMPv6 Message

    ICMPv6 Type

    Router Solicitation Message

    133

    Router Advertisement Message

    134

    Neighbor Solicitation Message

    135

    Neighbor Advertisement Message

    136