I am having some trouble getting ping to work over a VPN connection to another party whoose firewall is beyond my control. My understanding of ping is that it is not treated as "stateful" by Checkpoint firewalls hence needs a rule for both "echo-request" traffic in one direction and another rule for the return "echo-reply" traffic. Something like the rules below.
Firewall A
Source X Destination Y echo-request permit
Source Y Destination X echo-reply permit
Firewall B
Source Y Destination X echo-reply permit
Source X Destination Y echo-request permit
I want hosts behind Firewall A to be able to ping hosts behind Firewall B, but not the other way around.
Obviously I cannot enable "accept icmp requests" in global properties.
Is this the "best practices" way for dealing with ping on Checkpoint.
--------------------------------------
Damien Allen CCNP,CCSE NG AI
--------------------------------------
Firewall A
Source X Destination Y echo-request permit
Source Y Destination X echo-reply permit
Firewall B
Source Y Destination X echo-reply permit
Source X Destination Y echo-request permit
I want hosts behind Firewall A to be able to ping hosts behind Firewall B, but not the other way around.
Obviously I cannot enable "accept icmp requests" in global properties.
Is this the "best practices" way for dealing with ping on Checkpoint.
--------------------------------------
Damien Allen CCNP,CCSE NG AI
--------------------------------------