1 2 Previous Next 15 Replies Latest reply on Jul 20, 2011 1:18 PM by sliedl

    How can the Mcafee FW respond to ICMP?

      Hi,

       

      Can you guide me on how to configure the FW to respond on the ICMP.

      The ping is just Pt. to Pt. and im getting ????

       

      Below is the log im getting...

      Kindly help...

      ICMP_log.jpg

        • 1. Re: How can the Mcafee FW respond to ICMP?

          Are you trying to ping the firewall or ping through the firewall?

           

          If you are trying to ping the firewall, ECHO reply is disabled by default. To enable Ping/ICMP you need to do so on a per zone/burb basis. The zone should be selected for whatever interface you are trying to ping.

           

          enableping.jpg

           

          If you are trying to ping through the firewall you need to create a firewall rule to allow it.

           

          Hope that helps.

           

          Message was edited by: dgold on 7/19/11 10:19:32 AM CDT
          • 2. Re: How can the Mcafee FW respond to ICMP?

            Hi Dgold,

             

            I'm trying to ping the firewall itself.

             

            I checked the settings on the Zone and it is allowed to respond to ICMP echo and timestamps.

            But still i cannot ping the pt.2 pt.

             

            Do you have other suggestions? 

             

            Appreciate your assistance...

            • 3. Re: How can the Mcafee FW respond to ICMP?
              PhilM

              Following on from dgold's response, pinging to the firewall and pinging through the Firewall are handled completely separately.

               

              What he showed you in his response was the setting required to allow the firewall to respond to ping requests sent to it directly.

               

              If you wish to send a ping request from a machine sitting on one side of the firewall to a machine sitting on the other side, then it will be necessary to create an access rule to allow either the ping service (version 7 or earlier) or the ICMP service (version 8) to pass from source zone/burb to destination zone/burb.

               

              The audit record you have included in you original message shows that when you try to ping the target address the connection is falling all the way through the access rules and is hitting the default "Deny All" rule at the bottom of this list - essentially proving that you do not have an appropriate rule in place to allow the connection to pass through. As soon as you add a rule in, and as long as that rule in positioned above "Deny All" then you should be good to go.

               

              Hope that helps.

              Phil.

              • 4. Re: How can the Mcafee FW respond to ICMP?

                Hi Phil/Dgold,

                 

                Im trying to ping the FW itself.

                The FW interface im trying to ping is the cluster interface 10.20.10.1

                The source IP is 10.20.10.4 which is directly connected- but somehow when i filter logs on the FW im hitting the deny any rule..

                Eventhough ive added rule to permit ICMP.

                 

                Is there any additional config that i might have missed?

                 

                Thanks...

                Appreciate your help...

                Interface.jpg

                • 5. Re: How can the Mcafee FW respond to ICMP?
                  sliedl

                  You do not need a rule to ping the firewall itself.  Perhaps that is your problem, as you are hitting the Deny All rule, so this means your firewall knows you have some rule configured with the ping/ICMP service but you are not matching that rule correctly (and thus you fall to the Deny All rule).

                   

                  Can you remove whatever ping/icmp rule you created and try to ping the firewall again?


                  Also, does an 'ifconfig -a' show that 10.20.10.1 is configured on your internal interface?

                  Can you ping 10.20.10.2, the native IP of this firewall?

                  • 6. Re: How can the Mcafee FW respond to ICMP?
                    PhilM

                    Can you ping 10.20.10.2? (the primary address).

                     

                    If this works, but you don't get a response from the cluster address it will probably require you to raise a ticket with technical support.

                     

                    I would probably suggest running a tcpdump while trying to ping the 10.20.10.1 address just to make sure the ICMP packets are actually arriving in the first place. If they aren't then the firewall won't be able to respond to them.

                    • 7. Re: How can the Mcafee FW respond to ICMP?
                      sliedl

                      WAIT:  The first ACL Deny screenshot you posted says you're trying to ping 10.10.10.1.

                       

                      The screenshot of your interface says its IP is 10.20.10.1.  Are you trying to ping the wrong IP?

                      • 8. Re: How can the Mcafee FW respond to ICMP?

                        Hi,

                         

                        Sorry i must have paste the wrong segment..  here is the latest one..

                         

                         

                        Deny.jpg

                        I cannot also ping the 10.20.10.2

                        and the ifconfig -a shows 10.20.10.1 as my interface..

                         

                        I already opened a case  on this with our local support here.. but he cannot also see the problem..

                        • 9. Re: How can the Mcafee FW respond to ICMP?
                          sliedl

                          Did you change your Deny All rule's action from 'Deny' to 'Drop'?  This could cause this behavior.  I just tested this and that was the behavior I saw (I could ping my FW's internal interface when the Deny All rule was a 'Deny' rule, but when I changed it to 'Drop' I could no longer ping the FW's internal interface and I hit the Deny All rule).

                           

                          If you did change your Deny All rule please change it back to Action: Deny.

                          1 2 Previous Next