On the Network Protection > Firewall > ICMP tab you can configure the settings for the Internet Control Message Protocol (ICMP). ICMP is used to exchange connection-related status information between hosts. ICMP is important for testing network connectivity or troubleshooting network problems.
Allowing any ICMP traffic on this tab will override ICMP settings being made in the firewall. If you only want to allow ICMP for certain hosts or networks, you should use the Firewall > Rules tab instead.
The following global ICMP options are available:
- Allow ICMP on Gateway: This option enables the gateway to respond to ICMP packets of any kind.
- Allow ICMP through Gateway: This option enables forwarding of ICMP packets through the gateway if the packets originate from an internal network, i.e., a network without default gateway.
- Allow ICMP through Gateway from external networks: This option enables forwarding of ICMP packets through the gateway from an external network, i.e., the Internet.
- Log ICMP redirects: ICMP redirects are sent from one router to another to find a better route for a packet's destination. Routers then change their routing tables and forward the packet to the same destination via the supposedly better route. If you select this option, all ICMP redirects received by the gateway will be logged in the firewall log.
Note – If enabled, the ICMP settings apply to all ICMP packets, including ping and traceroute—if sent via ICMP—, even if the corresponding ping and traceroute settings are disabled.
The program ping is a computer network tool used to test whether a particular host is reachable across an IP network. Ping works by sending ICMP echo request packets to the target host and listening for ICMP echo response replies. Using interval timing and response rate, ping estimates the round-trip time and packet loss rate between hosts.
The following ping options are available:
- Gateway is ping visible: The gateway responds to ICMP echo request packets. This feature is enabled by default.
- Ping from gateway: You can use the ping command on the gateway. This feature is enabled by default.
- Gateway forwards pings: The gateway forwards ICMP echo request and echo response packets originating from an internal network, i.e., a network without default gateway.
Note – If enabled, the ping settings also allow traceroute ICMP packets, even if the corresponding traceroute settings are disabled.
The program traceroute is a computer network tool used to determine the route taken by packets across an IP network. It lists the IP addresses of the routers that were involved in transporting the packet. If the packet's route cannot be determined within a certain time frame, traceroute will report an asterisk (*) instead of the IP address. After a certain number of failures, the check will end. An interruption of the check can have many causes, but most likely it is caused by a firewall along the network path that blocks traceroute packets.
The following traceroute options are available:
- Gateway is traceroute visible: The gateway responds to traceroute packets.
- Gateway forwards traceroute: The gateway forwards traceroute packets originating from an internal network, i.e., a network without default gateway.
Note – The bridge mode in Sophos UTM on AWS uses the packet filter to allow the traffic to pass Sophos UTM on AWS, e.g., web surfing traffic. In this case, the options Allow ICMP through gateway, Gateway forwards pings and Gateway forwards traceroute will not work in bridge mode.
Note – If enabled, the traceroute settings also allow ping packets, even if the corresponding ping settings are disabled.