cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

How can the Mcafee FW respond to ICMP?

Jump to solution

Hi,

Can you guide me on how to configure the FW to respond on the ICMP.

The ping is just Pt. to Pt. and im getting ????

Below is the log im getting...

Kindly help...

ICMP_log.jpg

1 Solution

Accepted Solutions
Highlighted
Level 14
Report Inappropriate Content
Message 10 of 16

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Did you change your Deny All rule's action from 'Deny' to 'Drop'?  This could cause this behavior.  I just tested this and that was the behavior I saw (I could ping my FW's internal interface when the Deny All rule was a 'Deny' rule, but when I changed it to 'Drop' I could no longer ping the FW's internal interface and I hit the Deny All rule).

If you did change your Deny All rule please change it back to Action: Deny.

View solution in original post

15 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 16

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Are you trying to ping the firewall or ping through the firewall?

If you are trying to ping the firewall, ECHO reply is disabled by default. To enable Ping/ICMP you need to do so on a per zone/burb basis. The zone should be selected for whatever interface you are trying to ping.

enableping.jpg

If you are trying to ping through the firewall you need to create a firewall rule to allow it.

Hope that helps.

Message was edited by: dgold on 7/19/11 10:19:32 AM CDT
Highlighted

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Hi Dgold,

I'm trying to ping the firewall itself.

I checked the settings on the Zone and it is allowed to respond to ICMP echo and timestamps.

But still i cannot ping the pt.2 pt.

Do you have other suggestions? 

Appreciate your assistance...

Highlighted
Level 14
Report Inappropriate Content
Message 4 of 16

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Following on from dgold's response, pinging to the firewall and pinging through the Firewall are handled completely separately.

What he showed you in his response was the setting required to allow the firewall to respond to ping requests sent to it directly.

If you wish to send a ping request from a machine sitting on one side of the firewall to a machine sitting on the other side, then it will be necessary to create an access rule to allow either the ping service (version 7 or earlier) or the ICMP service (version 😎 to pass from source zone/burb to destination zone/burb.

The audit record you have included in you original message shows that when you try to ping the target address the connection is falling all the way through the access rules and is hitting the default "Deny All" rule at the bottom of this list - essentially proving that you do not have an appropriate rule in place to allow the connection to pass through. As soon as you add a rule in, and as long as that rule in positioned above "Deny All" then you should be good to go.

Hope that helps.

Phil.

Highlighted

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Hi Phil/Dgold,

Im trying to ping the FW itself.

The FW interface im trying to ping is the cluster interface 10.20.10.1

The source IP is 10.20.10.4 which is directly connected- but somehow when i filter logs on the FW im hitting the deny any rule..

Eventhough ive added rule to permit ICMP.

Is there any additional config that i might have missed?

Thanks...

Appreciate your help...

Interface.jpg

Highlighted
Level 14
Report Inappropriate Content
Message 6 of 16

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

You do not need a rule to ping the firewall itself.  Perhaps that is your problem, as you are hitting the Deny All rule, so this means your firewall knows you have some rule configured with the ping/ICMP service but you are not matching that rule correctly (and thus you fall to the Deny All rule).

Can you remove whatever ping/icmp rule you created and try to ping the firewall again?


Also, does an 'ifconfig -a' show that 10.20.10.1 is configured on your internal interface?

Can you ping 10.20.10.2, the native IP of this firewall?

Highlighted
Level 14
Report Inappropriate Content
Message 7 of 16

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Can you ping 10.20.10.2? (the primary address).

If this works, but you don't get a response from the cluster address it will probably require you to raise a ticket with technical support.

I would probably suggest running a tcpdump while trying to ping the 10.20.10.1 address just to make sure the ICMP packets are actually arriving in the first place. If they aren't then the firewall won't be able to respond to them.

Highlighted
Level 14
Report Inappropriate Content
Message 8 of 16

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

WAIT:  The first ACL Deny screenshot you posted says you're trying to ping 10.10.10.1.

The screenshot of your interface says its IP is 10.20.10.1.  Are you trying to ping the wrong IP?

Highlighted

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Hi,

Sorry i must have paste the wrong segment..  here is the latest one..

Deny.jpg

I cannot also ping the 10.20.10.2

and the ifconfig -a shows 10.20.10.1 as my interface..

I already opened a case  on this with our local support here.. but he cannot also see the problem..

Highlighted
Level 14
Report Inappropriate Content
Message 10 of 16

Re: How can the Mcafee FW respond to ICMP?

Jump to solution

Did you change your Deny All rule's action from 'Deny' to 'Drop'?  This could cause this behavior.  I just tested this and that was the behavior I saw (I could ping my FW's internal interface when the Deny All rule was a 'Deny' rule, but when I changed it to 'Drop' I could no longer ping the FW's internal interface and I hit the Deny All rule).

If you did change your Deny All rule please change it back to Action: Deny.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community