After we configure the security polcies on the firewall we can observe that some ICMP destination unreachable messages can pass through the NGFW even though no security policy is configured in this way.
The explanation behind this behavior is that the ICMP destination unreachable message is allowed through the firewall just in the case where on the firewall already exists a session for the packet that caused the generation of the ICMP unreachable.
As you know the ICMP unreachable packet is generated by a device to inform the source host that the destination unicast address is unreachable. So, in the case where a packet is dropped by a device because its destination is unreachable, that device will inform the source of the packet about this event by sending it an ICMP unreachable message. The ICMP unreachable message that is returned to the sender will include the IP header plus the first 8 bytes of the original datagram's data .
For instance, If we take the above topology as an example and we consider that CLIENT 1 is trying to communicate with CLIENT2. In the situation where the packet that is sent from CLIENT 1 to CLIENT 2 is somehow filtered on AR2, the AR can send an icmp unreachable message back to client 1 to inform it that the original packet didn’t reach its destination. The ICMP unreachable packet would also contain the first 8 bytes of the original packet.
If the firewall already has a session for the original packet that got dropped on the AR, the ICMP unreachable packet will be allowed even though there is no specific security rule configured in this sense.
At the moment the only way we can filter the icmp unreachable packets is by enabling the attack defense mechanism of the firewall to filter them. This can be done in the following way: