Options

DMZ pings

I have a local network behind a Firebox.
I can ping from my trusted machines to a server on my DMZ,
but not vice-versa. I can ping from any of them to the External (WAN) systems (Google).

(T's are trusted segment, D is on DMZ)

I have two rules which I thought should allow this:

When I do a ping from DMZ to a Trusted machine (D1 → Ta) I don’t see any Denial in the traffic report.

2023-07-18 08:09:52 Allow 10.0.2.200 10.0.1.32 ICMP DMZ Trusted -Local Application identified 84 63 (Ping-00)
proc_id="firewall" rc="100" msg_id="3000-0149" app_name="ICMP" app_cat_name="Management tools and protocols"
app_id="118" app_cat_id="10" app_beh_name="Access" app_beh_id="6" action="Global" sig_vers="18.272"

What am I missing?

Comments

  • Options

    The posted Allow log message indicates that the firewall is not the cause of the ping not working.
    You need to look at the dest device (10.0.1.32) to see why the incoming ping is being denied. Perhaps a firewall on that device is blocking it ?

  • Options

    Thanks. But since they (Ta, Tb) respond to pings from other machines on the same Trusted segment, that did not seem to me to be the problem (?). Would/should the traffic monitor show something for the response coming back from the Trusted -> DMZ machine?
    So the trusted machines (Ta,Tb) respond to all pings on the same network, but none are ping-able from DMZ system (D1).
    I tried it with a third Trusted machine (Tc), all Windows 10, same results. Curious.

  • Options

    Reply packets are not shown in Traffic Monitor, and there is no way to make them show.

    What is the subnet mask for devices on Trusted ? /24
    A subnet mask with /23 or /22 for example would prevent replies getting back.

    You can do packet captures on the firewall using TCP dump.

    See the TCP Dump section here:

    Web UI:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_diagnostics_tasks_web.html

    FSM:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html

    FYI, I normally don't have "Enable Application Control" selected on my packet filters, including my Ping policies. Reduces stuff I don't need to see in Traffic Monitor.

  • Options

    Thanks.
    They are both /24

    I am not familiar with "application control" but it was on (Global) on one of the Ping policies, so I turned it off.
    Should I go through all policies and do that?
    I had forgotten about the Diagnostics - I can ping both sides (machines) from the FW.

  • Options

    Q. Should I go through all policies and do that?
    A. That is up to you. I don't for packet filters, as I know what they are for in my config.

    No idea why pings from the DMZ to Trusted devices are not getting replies.
    The log entry says that the ping is being allowed.
    I still think that something on the Trusted devices is blocking the pings from the DMZ.

    Consider a support case if you have a support contract on your firewall.

  • Options

    Many thanks. I think I'll try packet trace before asking for support.

  • Options

    PS: I did run a packet dump, from the WG UI - Network/Diagnostic/Network/Network/TCP-IP Dump.

    On the DMZ segment, when I do a Ping (10.0.2.200 → 10.0.1.32)
    (see attached file)

    I don’t see any ping packets from DMZ getting through.
    I filed a support request.

Sign In to comment.