STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Palo Alto Networks IDPS Security Technical Implementation Guide

V-207699

CAT II (Medium)

The Palo Alto Networks security platform must block malicious ICMP packets.

Rule ID

SV-207699r557390_rule

STIG

Palo Alto Networks IDPS Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-001312

Discussion

Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, ICMP can be misused to provide a covert channel. ICMP tunneling is when an attacker injects arbitrary data into an echo packet and sends to a remote computer. The remote computer injects an answer into another ICMP packet and sends it back. The creates a covert channel where an attacker can hide commands sent to a compromised host or a compromised host can exfiltrate data.

Check Content

Ask the Administrator which Security Policy blocks traceroutes and ICMP probes.
Go to Policies >> Security
View the identified Security Policy.
 
If the  "Source Zone" field is not external and the "Source Address" field is not any, this is a finding.

If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not "any", this is a finding.
Note: the exact number and name of zones is specific to the network.

If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding.

If the "Actions" field does not show "Deny" as the resulting action, this is a finding.

Fix Text

To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
For the "Source Zone" field, select "external". 
For the "Source Address" field, select "any".
In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields. 
For the "Destination Zone" field, select the internal and DMZ zones.
Note: the exact number and name of zones is specific to the network.

For the "Destination Address" field, select "any".
In the "Applications" tab, select "icmp", "ipv6-icmp", "traceroute".
In the "Actions" tab, select "Deny" as the resulting action.  Select the required Log Setting and Profile Settings as necessary.
Commit changes by selecting "Commit" in the upper-right corner of the screen.  Select "OK" when the confirmation dialog appears.