Watchguard "ICMP Policy" Denys ICMP.
Posted on 2011-09-22
I have a small network with multiple subnets connected to the Watchguard via a router.
For testing, I have created a duplicate network.
The "LAN" subnet is 10.255.20.0/24. One machine on that subnet is @ .207. The router interface is @ .5.
The "Firewall" subnet is 10.255.1.0/29. The router interface is @ .2. The XTM interface is at .1. Another machine for testing is @ .3.
The XTM 23 has an "Internet" subnet. The internet port for the XTM is @ .37 and the internet gateway for same is @ .33
The PC @ .3 on the firewall subnet can ping everything in both directions.
The PC @ .207 on the lan subnet can ping up to the internet @ .37 (XTM internet ip), but cannot ping .33.
The syslog shows "Process=firewall Disposition=Deny Policy=ICMP Packet Source IP=10.255.20.207 Destination IP=x.x.x.33 Source Interface=5-inside Destination Interface=0-ISP Source Port= Destination Port= Protocol=icmp"
But I can't find a firewall policy named "ICMP Packet".
Q1: Where the heck is it?
I have tried creating firewall policies that permit everything to everywhere from everywhere and nothing works. It always hits this "ICMP Packet" policy and presto, denied.
Q2: Where do I place "something" to allow ICMP traffic from the other side of the router to the internet?