The Palo Alto Networks security platform must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207698	PANW-IP-000030	SV-207698r557390_rule		Medium

Description
Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology that may be exploited by an attacker. Three ICMP messages are commonly used by attackers for network mapping: Destination Unreachable, Redirect, and Address Mask Reply. These responses must be blocked on external interfaces; however, blocking the Destination Unreachable response will prevent Path Maximum Transmission Unit Discovery (PMTUD), which relies on the response "ICMP Destination Unreachable--Fragmentation Needed but DF Bit Set". PMTUD is a useful function and should only be "broken" after careful consideration. An acceptable alternative to blocking all Destination Unreachable responses is to filter Destination Unreachable messages generated by the IDPS to allow ICMP Destination Unreachable-Fragmentation Needed but DF Bit Set (Type 3, Code 4) and apply this filter to the external interfaces.

Description

Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology that may be exploited by an attacker. Three ICMP messages are commonly used by attackers for network mapping: Destination Unreachable, Redirect, and Address Mask Reply. These responses must be blocked on external interfaces; however, blocking the Destination Unreachable response will prevent Path Maximum Transmission Unit Discovery (PMTUD), which relies on the response "ICMP Destination Unreachable--Fragmentation Needed but DF Bit Set". PMTUD is a useful function and should only be "broken" after careful consideration. An acceptable alternative to blocking all Destination Unreachable responses is to filter Destination Unreachable messages generated by the IDPS to allow ICMP Destination Unreachable-Fragmentation Needed but DF Bit Set (Type 3, Code 4) and apply this filter to the external interfaces.

STIG	Date
Palo Alto Networks IDPS Security Technical Implementation Guide	2022-09-14

Details

Check Text ( C-7952r358427_chk )
Ask the Administrator if any security policy allows ICMP from an internal zone or DMZ to an outside zone. If there is none, this is not a finding. If there is a security policy that allows ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. Go to Objects >> Applications; if there are not three custom Applications to identify ICMP Type 3, 5, and 18, this is a finding. Go to Policies >> Security; if there is no Security Policy using these three custom Applications with the resulting action of "deny", this is a finding. This Security Policy must appear above any Security Policy that allows ICMP from an internal zone or DMZ to an outside zone; if it does not, this is a finding.

Check Text ( C-7952r358427_chk )

Ask the Administrator if any security policy allows ICMP from an internal zone or DMZ to an outside zone. If there is none, this is not a finding.

If there is a security policy that allows ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

Go to Objects >> Applications; if there are not three custom Applications to identify ICMP Type 3, 5, and 18, this is a finding.

Go to Policies >> Security; if there is no Security Policy using these three custom Applications with the resulting action of "deny", this is a finding.

This Security Policy must appear above any Security Policy that allows ICMP from an internal zone or DMZ to an outside zone; if it does not, this is a finding.

Fix Text (F-7952r358428_fix)
Note: The interzone-default rule action is deny, so unless ICMP is specifically allowed by a policy, it will be denied. If there is an explicit security policy configured allowing ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. Create three custom Applications to identify ICMP Type 3, 5, and 18: Go to Objects >> Applications Select "Add". In the Application window; complete the required fields In the Configuration tab, in the General section, complete the Name and Description Fields. In the Configuration tab, in the Properties section, for Category, select networking, for Subcategory, select infrastructure, and for Technology, select network-protocol. In the Advanced tab, in the Defaults section, select ICMP Type Enter "3" since ICMP Destination Unreachable is Type 3 Select OK Repeat this procedure two more times, using the values for ICMP Type are 5 and 18 since respectively since ICMP Redirect is Type 5 and ICMP Address Mask Reply is Type 18. Use these three Application filters in a Security Policy. To configure the security policy: Go to Policies >> Security Select "Add". In the "Security Policy Rule" window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. Select "interzone" for the Rule Type. In the "Source" tab, complete the "Source Zone" and "Source Address" fields. For the "Source Zone" field, select "internal". For the "Source Address" field, select "any". In the "Destination" tab, for the "Destination Address" field, select "any". Note: The "Destination Zone" window will be grayed out (unable to enter parameters). In the "Applications" tab, select the three application filters configured above. In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Fix Text (F-7952r358428_fix)

Note: The interzone-default rule action is deny, so unless ICMP is specifically allowed by a policy, it will be denied. If there is an explicit security policy configured allowing ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

Create three custom Applications to identify ICMP Type 3, 5, and 18:
Go to Objects >> Applications
Select "Add".
In the Application window; complete the required fields In the Configuration tab, in the General section, complete the Name and Description Fields.
In the Configuration tab, in the Properties section, for Category, select networking, for Subcategory, select infrastructure, and for Technology, select network-protocol.
In the Advanced tab, in the Defaults section, select ICMP Type Enter "3" since ICMP Destination Unreachable is Type 3 Select OK Repeat this procedure two more times, using the values for ICMP Type are 5 and 18 since respectively since ICMP Redirect is Type 5 and ICMP Address Mask Reply is Type 18.
Use these three Application filters in a Security Policy.

To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields. Select "interzone" for the Rule Type.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
For the "Source Zone" field, select "internal".
For the "Source Address" field, select "any".
In the "Destination" tab, for the "Destination Address" field, select "any".
Note: The "Destination Zone" window will be grayed out (unable to enter parameters).

In the "Applications" tab, select the three application filters configured above.
In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.