ICMP - Firewall Rule - ZIA

Hello community,
I was trying to create a firewall rule to allow icmp to a specific destination (I verified it responded to icmp).
I created a rule with Network Application ICMP, destination, the target website, it did not work.
Changed the network applocation to services, this time I was able to include ICMP and echo (even traceroute) It did not work either. Then I removed the destination field (leave it empty, makeing it “any”) and it finally started working.
Any idea why this behavior?

On zscaler zcloud cloud it seems to not work at all even with destination and I even added the destination server in the Destination Inclusions next to 0.0.0.0 :slight_smile: but I may look with pcap if the zcaler client connector is sendig the icmp traffic to the zscaler cloud as I see tunnel 2.0 is correctly used and that there are no bypasses

About you what does the firewall insights log say Firewall Insights Logs: Filters | Zscaler?

Also maybe double check if you add the destination server like 1.1.1.1 or 1.1.1.1/32 if it helps. I may look also to not use FQDN as should make certain that the traffic is going to zscaler:

DNS logging in Tunnel 2.0 for Road Warriors - #5 by rafaelruales. Edit: Also I remember other people complaining about this for ICMP, so it could be a bug as the vendor will say it is a feature that will be added :grinning:

Hello Xavier,

hm, I am not able to reproduce your issue (zscloud). If I create a firewall filtering policy and block/drop network-service “icmp” and configure a dedicated target host fqdn, no ping is possible. Vice versa selecting “allow” has the expected effect.

Did you check for other policies before your allow rule? Keep in mind rule evaluation stops at first match.

BR
Manuel

1 Like

Hello Manuel,
Thanks for the answer and time.
We don’t have any deny rule before our icmp rule, it is very weird, because this is supposed to be a pretty straightforward scenario.

Hey Xavi,

I just read you post once more and now wondering how you created a “network application” as this is a predefined list provided by Zscaler. And in “network services” there is already a predefined service ICMP. So basically the only thing you should need to do is to create/configure a “firewall filtering policy”. Sorry if I missed something (only had two coffees until yet ;-))…

BR
Manuel

Hello Manuel, first of all thanks again for looking at this and for your time!!

I did not create the network application, I created the policy, then under the policy I found out that ICMP was under both, services and network applications, I tried them both as a network application and as a services and none options seemed to work, until I completely removed the destination (google.com).
When I removed the destination ( at that moment I was using icmp as a service) then it started working.
This whole terminology gets tangled, thank you !