Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
After we configure the security polcies on the firewall we can observe that some ICMP destination unreachable messages can pass through the NGFW even though no security policy is configured in this way.
The explanation behind this behavior is that the ICMP destination unreachable message is allowed through the firewall just in the case where on the firewall already exists a session for the packet that caused the generation of the ICMP unreachable.
As you know the ICMP unreachable packet is generated by a device to inform the source host that the destination unicast address is unreachable. So, in the case where a packet is dropped by a device because its destination is unreachable, that device will inform the source of the packet about this event by sending it an ICMP unreachable message. The ICMP unreachable message that is returned to the sender will include the IP header plus the first 8 bytes of the original datagram's data .
For instance, If we take the above topology as an example and we consider that CLIENT 1 is trying to communicate with CLIENT2. In the situation where the packet that is sent from CLIENT 1 to CLIENT 2 is somehow filtered on AR2, the AR can send an icmp unreachable message back to client 1 to inform it that the original packet didn’t reach its destination. The ICMP unreachable packet would also contain the first 8 bytes of the original packet.
If the firewall already has a session for the original packet that got dropped on the AR, the ICMP unreachable packet will be allowed even though there is no specific security rule configured in this sense.
At the moment the only way we can filter the icmp unreachable packets is by enabling the attack defense mechanism of the firewall to filter them. This can be done in the following way: