Globally enabling ICMP

Hello all,

is there a sleak way to enable ZPA ICMP-access globally e.g. for a dedicated Azure VNET (e.g. /26)? Right now it seems I would have to create an app segment containing every single VNET-IP-address as application. Doable, but still a bit cumbersome. Any ideas?

And one more thing: pinging hostnames is a little awkward as always CGNAT address will respond. Pinging hostnames would be even more helpful if the particular IP-address of the pinged host(name) would be shown in the ICMP response. But I guess that’s just because of the way ZCC/Zscaler works with DNS and CGNAT for now.

BR
Manuel

Hello Manuel,

  • ICMP has to be enabled at application segment level. Hence configuration of app segment is required.

  • Your understanding is correct. Since with ZPA intention is to implement Zero Trust architecture hence returning the actual servers IP address would not be correct. You would see the ICMP response coming from the synthetic IP (100.64.1.0/24) address assigned to the application on the client system.

  • Please note, ICMP feature is primarily focused to solve issues with legacy applications which need ICMP connection to the dst-server for discovery.

Regards,
Shujaat

Hey Shujaat,

thanks for your reply. Sounds valid, only the “focus on legacy applications” falls short in my opinion. But anyway, we can live with the status quo :wink:

BR
Manuel