Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Create a ICMP Ping Policy

    Posted 08-11-2009 17:09

    How can I create a policy that allows egress pings however denys all other ICMP? Meaning I want a policy that only contains the ICMP services that ping requires.

     

    --Tim



  • 2.  RE: Create a ICMP Ping Policy
    Best Answer

    Posted 08-11-2009 17:36
    I believe that the ping service deals specifically with this. If you allow ping and disallow all other ICMP you should achieve what you are looking for.


  • 3.  RE: Create a ICMP Ping Policy

    Posted 08-12-2009 08:57

    The ping service is only ICMP type:8,code:0, the rest of ICMP is being blocked.

     

    --Tim



  • 4.  RE: Create a ICMP Ping Policy

    Posted 08-11-2009 20:07

     

    IIRC this is not entirely possible.

     

    ICMP packets like port unreachables contain the original packet information inside and are matched against the outbound session so would not be matching an ICMP policy.

     

    So an ICMP port unreachable for a syslog packet sent to a server which had the syslog service disabled would match syslog policy and session that allowed the packet through and not ICMP policy.

     

    Laters

     

    Ben