ICMP

On the Network Protection > Firewall > ICMP tab you can configure the settings for the Internet Control Message Protocol (ICMP). ICMP is used to exchange connection-related status information between hosts. ICMP is important for testing network connectivity or troubleshooting network problems.

Allowing any ICMP traffic on this tab will override ICMP settings being made in the firewall. If you only want to allow ICMP for certain hosts or networks, you should use the Firewall > Rules tab instead.

Global ICMP Settings

The following global ICMP options are available:

Note – If enabled, the ICMP settings apply to all ICMP packets, including ping and traceroute—if sent via ICMP—, even if the corresponding ping and traceroute settings are disabled.

Ping Settings

The program ping is a computer network tool used to test whether a particular host is reachable across an IP network. Ping works by sending ICMP echo request packets to the target host and listening for ICMP echo response replies. Using interval timing and response rate, ping estimates the round-trip time and packet loss rate between hosts.

The following ping options are available:

Note – If enabled, the ping settings also allow traceroute ICMP packets, even if the corresponding traceroute settings are disabled.

Traceroute Settings

The program traceroute is a computer network tool used to determine the route taken by packets across an IP network. It lists the IP addresses of the routers that were involved in transporting the packet. If the packet's route cannot be determined within a certain time frame, traceroute will report an asterisk (*) instead of the IP address. After a certain number of failures, the check will end. An interruption of the check can have many causes, but most likely it is caused by a firewall along the network path that blocks traceroute packets.

The following traceroute options are available:

Note – The bridge mode in Sophos UTM on AWS uses the packet filter to allow the traffic to pass Sophos UTM on AWS, e.g., web surfing traffic. In this case, the options Allow ICMP through gateway, Gateway forwards pings and Gateway forwards traceroute will not work in bridge mode.

Note – In addition, the UDP ports for UNIX traceroute applications are opened, too.

Note – If enabled, the traceroute settings also allow ping packets, even if the corresponding ping settings are disabled.