ICMP Services
ICMP can be added as a service for detailed inbound or outbound policy creation, commonly used for traceroute and path MTU discovery.
Export ICMP traffic in JSON, CEF, or LEEF format.
Blocked ICMP services won't appear in the Blocked Traffic list, resulting in a silent connection drop.
Supported ICMP types/codes range from 0 to 255, allowing specific rule configurations.
The following table describes the correct format for each type of supported ICMP rule:
Example | Format | Meaning in Rule |
|---|---|---|
ICMP (on a new line) | Protocol name only | Allow all ICMP traffic |
3 ICMP | Type = 3 Protocol name = ICMP | All ICMP traffic of type 3 (Destination Unreachable) is allowed regardless of the code used in the rule. |
3/6 ICMP | Type = 3 Code = 6 Protocol name = ICMP | Only type 3 and code 6 ICMP traffic is allowed. |
3 ICMP, 6 ICMP | Type 3 of ICMP, Type 6 of ICMP TipUse this format to add as many types as you need. | Only type 3 and type 6 ICMP traffic is allowed regardless of the code used in the rule. |
ICMP traffic is displayed in Explorer, similar to TCP/UDP traffic.
You can see ICMP traffic flows in Illumination and the App Groups Map. You can choose to conceal them by using the filter in Illumination.
You can also create and update services that use the ICMP protocol using the REST API.
Caveats
ICMP is not supported for virtual services.
ICMP rules allow all types but lack granular control or specific multicast addresses.
For IPv6 functionality on Windows VENs, specific ICMPv6 types (e.g., Router Solicitation, Router Advertisement) must be managed separately in security rules.
The ICMPv6 types that are required in those rules are as follows:
ICMPv6 Message
ICMPv6 Type
Router Solicitation Message
133
Router Advertisement Message
134
Neighbor Solicitation Message
135
Neighbor Advertisement Message
136