Are you trying to ping the firewall or ping through the firewall?
If you are trying to ping the firewall, ECHO reply is disabled by default. To enable Ping/ICMP you need to do so on a per zone/burb basis. The zone should be selected for whatever interface you are trying to ping.
If you are trying to ping through the firewall you need to create a firewall rule to allow it.
Hope that helps.
I'm trying to ping the firewall itself.
I checked the settings on the Zone and it is allowed to respond to ICMP echo and timestamps.
But still i cannot ping the pt.2 pt.
Do you have other suggestions?
Appreciate your assistance...
Following on from dgold's response, pinging to the firewall and pinging through the Firewall are handled completely separately.
What he showed you in his response was the setting required to allow the firewall to respond to ping requests sent to it directly.
If you wish to send a ping request from a machine sitting on one side of the firewall to a machine sitting on the other side, then it will be necessary to create an access rule to allow either the ping service (version 7 or earlier) or the ICMP service (version 8) to pass from source zone/burb to destination zone/burb.
The audit record you have included in you original message shows that when you try to ping the target address the connection is falling all the way through the access rules and is hitting the default "Deny All" rule at the bottom of this list - essentially proving that you do not have an appropriate rule in place to allow the connection to pass through. As soon as you add a rule in, and as long as that rule in positioned above "Deny All" then you should be good to go.
Hope that helps.
Im trying to ping the FW itself.
The FW interface im trying to ping is the cluster interface 10.20.10.1
The source IP is 10.20.10.4 which is directly connected- but somehow when i filter logs on the FW im hitting the deny any rule..
Eventhough ive added rule to permit ICMP.
Is there any additional config that i might have missed?
Appreciate your help...
You do not need a rule to ping the firewall itself. Perhaps that is your problem, as you are hitting the Deny All rule, so this means your firewall knows you have some rule configured with the ping/ICMP service but you are not matching that rule correctly (and thus you fall to the Deny All rule).
Can you remove whatever ping/icmp rule you created and try to ping the firewall again?
Also, does an 'ifconfig -a' show that 10.20.10.1 is configured on your internal interface?
Can you ping 10.20.10.2, the native IP of this firewall?
Can you ping 10.20.10.2? (the primary address).
If this works, but you don't get a response from the cluster address it will probably require you to raise a ticket with technical support.
I would probably suggest running a tcpdump while trying to ping the 10.20.10.1 address just to make sure the ICMP packets are actually arriving in the first place. If they aren't then the firewall won't be able to respond to them.
WAIT: The first ACL Deny screenshot you posted says you're trying to ping 10.10.10.1.
The screenshot of your interface says its IP is 10.20.10.1. Are you trying to ping the wrong IP?
Did you change your Deny All rule's action from 'Deny' to 'Drop'? This could cause this behavior. I just tested this and that was the behavior I saw (I could ping my FW's internal interface when the Deny All rule was a 'Deny' rule, but when I changed it to 'Drop' I could no longer ping the FW's internal interface and I hit the Deny All rule).
If you did change your Deny All rule please change it back to Action: Deny.