6 Replies Latest reply on Dec 11, 2013 9:42 AM by PhilM

    Ping between different burbs (zones)

    shanwang

      HI All,

       

      I am new to McAfee firewall, and got a very simple question to ask. Any response will be much appreciated.

       

      Here is my simple setup in S5032 for testing.

       

      Burb one interface (a dedicated physical port in firewall): 10.0.30.225/28 (zone 1)

      Burb two interface (a dedicated physical port in firewall): 10.0.30.241/28 (zone 2)

       

      My host machines connected to each of the above two different zones can ping the zone interface it belongs to. However, hosts in different zones cannot ping each other. I have set up static routes in those hosts to point  to each other. my firewall is in routed mode.

       

      Therefore, my question is that what settings should I make to make the hosts in the differernt zone to be able to ping each other?

       

      I have enabled "Response to ICMP echo and timestamp" and "Hornor ICMP redirect" option in burb interface configuration.

       

      Thanks in advance,

      Shan

        • 1. Re: Ping between different burbs (zones)
          PhilM

          Have you created a Firewall rule to allow ICMP to pass between the two zones (and the other way around if you want machines in either zone to ping the other)?

           

          If you have created a rule and have selected <Any> in the application field, this may be your problem. The McAfee guys who sit on this forum may be able to offer a better explanation. But, unlike many other Firewall products, "any" doesn't necessarily mean "any" when it comes to assigning applications to a rule on the McAfee Firewall. If you want ICMP to pass you will need to create a rule for ICMP.

           

          The settings you have referred to (Respond to ICMP echo & timestamp, etc...) are all specific to the Firewall itself. E.g. if you do not enable "Respond to ICMP..." and you try and ping the local interface on the Firewall it will not respond. Enable this setting and it will then start responding.

           

          -Phil.

          1 of 1 people found this helpful
          • 2. Re: Ping between different burbs (zones)
            shanwang

            Hi PhiM,

             

            Thanks for your advices. I should have responded earlier.

             

            After raised this question in the forum, I realised that I need to creat specific rules in FW to explictly allow ICMP request and response between two zones. After having the rules created, the ping became successful. What I missed it is the rules for zones becasue I have had enabling ICMP at interface level when the interfaces were created.

             

            Kind regards,

            Shan

            • 3. Re: Ping between different burbs (zones)
              gooru4speed

              Hi Phill,

              How do you suggest to configure an ICMP rule? I mean, if you try to use "Any" and "ICMP" as applications on the same rule you'll receive an error message that ICMP cannot be used with "Any".

               

              Would you configure two rules? first one for ICMP and the second one with "Any" as application?

               

              Regards!

              JR

              • 4. Re: Ping between different burbs (zones)
                PhilM

                JR -

                 

                One of the McAfee guys may be in a better position to answer this, but since I was first trained on Sidewinder back at version 5 (cica 2000/2001), I have been led to understand that "Any" doesn't really exist in this product as far as services/applications are concerned. It is one of those things that has separated this Firewall from most of its peers.


                This can make life tricky because when creating rules it means you have to *know* which ports/protocols you wish to pass between different zones - but as far as I am concerned that it just sensible practice. If you want to allow "Anything" why not simply connect the device behind a basic NAT-ing router?...

                 

                When v8 came along and suddenly an "Any" application type appeared it did wonder if this meant that it would now be possible to create rules to allow anything. I actually raised this as a question back in 2011:-

                 

                https://community.mcafee.com/message/190912#190912

                 

                You will notice that Matt Tuma's response suggests that "Any" is still governed by the entries in the Application Signature Database and doesn't meany "anything".

                 

                Sam Liedl then added his own thoughts on which appliactions you should apply to a rule to cover virtually anything.

                 

                -Phil.

                 

                Message was edited by: PhilM on 11/12/13 15:11:45 GMT
                • 5. Re: Ping between different burbs (zones)
                  gooru4speed

                  Phil,

                  I read the discussion you referenced to. My opinion about Sam's suggestion about to create a custom service group is like that firewall won't use internal Proxies for traffic analisys and everything will be treated by TCP/UDP packet filter.

                  If I'm wrong please let me know your opinion.

                   

                  Regards,

                  JR

                  • 6. Re: Ping between different burbs (zones)
                    PhilM

                    JR -

                     

                    As far as I understand it's less to do with whether they are proxies or packet filters and more to do with the fact that (in terms of application definitions in a rule) "Any" does not mean everything.

                     

                    -Phil.