1 of 1 people found this helpful
Have you created a Firewall rule to allow ICMP to pass between the two zones (and the other way around if you want machines in either zone to ping the other)?
If you have created a rule and have selected <Any> in the application field, this may be your problem. The McAfee guys who sit on this forum may be able to offer a better explanation. But, unlike many other Firewall products, "any" doesn't necessarily mean "any" when it comes to assigning applications to a rule on the McAfee Firewall. If you want ICMP to pass you will need to create a rule for ICMP.
The settings you have referred to (Respond to ICMP echo & timestamp, etc...) are all specific to the Firewall itself. E.g. if you do not enable "Respond to ICMP..." and you try and ping the local interface on the Firewall it will not respond. Enable this setting and it will then start responding.
Thanks for your advices. I should have responded earlier.
After raised this question in the forum, I realised that I need to creat specific rules in FW to explictly allow ICMP request and response between two zones. After having the rules created, the ping became successful. What I missed it is the rules for zones becasue I have had enabling ICMP at interface level when the interfaces were created.
How do you suggest to configure an ICMP rule? I mean, if you try to use "Any" and "ICMP" as applications on the same rule you'll receive an error message that ICMP cannot be used with "Any".
Would you configure two rules? first one for ICMP and the second one with "Any" as application?
One of the McAfee guys may be in a better position to answer this, but since I was first trained on Sidewinder back at version 5 (cica 2000/2001), I have been led to understand that "Any" doesn't really exist in this product as far as services/applications are concerned. It is one of those things that has separated this Firewall from most of its peers.
This can make life tricky because when creating rules it means you have to *know* which ports/protocols you wish to pass between different zones - but as far as I am concerned that it just sensible practice. If you want to allow "Anything" why not simply connect the device behind a basic NAT-ing router?...
When v8 came along and suddenly an "Any" application type appeared it did wonder if this meant that it would now be possible to create rules to allow anything. I actually raised this as a question back in 2011:-
You will notice that Matt Tuma's response suggests that "Any" is still governed by the entries in the Application Signature Database and doesn't meany "anything".
Sam Liedl then added his own thoughts on which appliactions you should apply to a rule to cover virtually anything.
I read the discussion you referenced to. My opinion about Sam's suggestion about to create a custom service group is like that firewall won't use internal Proxies for traffic analisys and everything will be treated by TCP/UDP packet filter.
If I'm wrong please let me know your opinion.
As far as I understand it's less to do with whether they are proxies or packet filters and more to do with the fact that (in terms of application definitions in a rule) "Any" does not mean everything.