Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Watchguard "ICMP Policy" Denys ICMP.

Posted on 2011-09-22
9
Medium Priority
?
7,428 Views
Last Modified: 2012-08-13
I have a small network with multiple subnets connected to the Watchguard via a router.

For testing, I have created a duplicate network.

The "LAN" subnet is 10.255.20.0/24.  One machine on that subnet is @ .207.  The router interface is @ .5.

The "Firewall" subnet is 10.255.1.0/29.  The router interface is @ .2.  The XTM interface is at .1.  Another machine for testing is @ .3.

The XTM 23 has an "Internet" subnet.  The internet port for the XTM is @ .37 and the internet gateway for same is @ .33

The PC @ .3 on the firewall subnet can ping everything in both directions.

The PC @ .207 on the lan subnet can ping up to the internet @ .37 (XTM internet ip), but cannot ping .33.

The syslog shows "Process=firewall Disposition=Deny Policy=ICMP Packet Source IP=10.255.20.207 Destination IP=x.x.x.33 Source Interface=5-inside Destination Interface=0-ISP Source Port= Destination Port= Protocol=icmp"

But I can't find a firewall policy named "ICMP Packet".
Q1:  Where the heck is it?

I have tried creating firewall policies that permit everything to everywhere from everywhere and nothing works.  It always hits this "ICMP Packet" policy and presto, denied.
Q2:  Where do I place "something" to allow ICMP traffic from the other side of the router to the internet?

Rather frustrated.
-g
0
Comment
Question by:OuttaCyTE
  • 6
  • 3
9 Comments
 
LVL 9

Expert Comment

by:Brian
ID: 36588248
ICMP is your Ping Policy.
The Ping Policy is usually set from Any-Trusted, Any-Optional to Any.
0
 

Author Comment

by:OuttaCyTE
ID: 36588504
In my firewall policies, I have no "policy name" with the name "ICMP Packet"

I do have one named Ping-in2out, type Ping, From Any, To Any, Port ICMP (Type:8, code: 255), PBR (blank), Application Control none

The above policy is (apparently) not getting matched and I think it should.  Instead I get a policy=ICMP Packet which is denying the packet.

-g
0
 
LVL 9

Expert Comment

by:Brian
ID: 36588555
What do you have under Global Settings for the ICMP Error Handling. It appears it is not a Policy, but an internal setting in the Firewall that is causing it.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:OuttaCyTE
ID: 36588644
Washburnma,

Thank you for responding.

All of them are checked.

(unrelated but is there a way to turn off the webui timeout value?  Does the XTM 23 have an external console - I can't find a serial port but?)

-g
0
 

Author Comment

by:OuttaCyTE
ID: 36588670
More Info

I have another log entry adjacent to this one (before?) that is exactly the same except policy=Internal Policy

I'm assuming the Internal Policy is the inbuilt policy that denys everything.


I unchecked all of the Error handling options and tried again.  Failed same way.

-g
0
 
LVL 9

Expert Comment

by:Brian
ID: 36589315
There is not a console port, but you can download the WatchGuard System Manager which is much easier to use than the web interface. I highly recommend you do. The log viewer is much better as well.

Can you post a screen shot of your log file to look through?
0
 

Author Comment

by:OuttaCyTE
ID: 36711819
Is there something that you would like to see?

The only lines in the log having something to do with this problem are the two that I have already documented.

I have set up a syslog server to capture info from the WatchGuard device.  It too only shows those two lines.  Since there isn't any other traffice going on, the log is pretty sparse except for occasional device comm and watchguard messages.

-g
0
 

Accepted Solution

by:
OuttaCyTE earned 0 total points
ID: 36932888
You aren't going to believe this.

The problem was because the license keys had not been installed.

I had reset the device to scratch and had not yet installed the keys because I didn't need any of the licensed services.

However it appears that, despite showing good, that some part of the device just won't work without that installed.

The WatchGuard technician (2nd level) noticed we didn't have license keys install and so tried it.  It started working for him so he had me try it from my machines and that did the trick.

Thanks for your efforts
-g
0
 

Author Closing Comment

by:OuttaCyTE
ID: 36954299
WatchGuard supplied the answer.  See notes above
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question