Proper Way to Pass ICMP Through Firewall-1?

From: Will (
Date: 04/28/05

Date: Wed, 27 Apr 2005 23:20:56 -0700

What is the correct rule to use to allow ICMP packets to pass through a
Checkpoint Firewall-1 firewall? If you have two segments behind a
firewall, and you have a rule to allow all hosts behind one of the segments
to ICMP all hosts on the other segment, how do you set up the rule?

I set a rule to allow the host group for the source segment to ICMP to the
host group for the destination segment. The firewall log shows an Accept
when an ICMP travels from the source to the destination. But the return
ICMP packet never arrives back to the source. I then tried to set a
second rule to allow ICMP from the destination back to the source. This
made no difference. There is no error packet in the log anywhere around
the Accept for ICMP, so whatever is failing is doing so in a way that is
invisible to the firewall log.

I am trying to avoid the "Allow ICMP" setting on the Properties dialog
because it seems far too permissive. I want to find a more strictly
correct way to enable specific ICMPs, using just the ruleset, and I want all
ICMP traffic to be visible in the log.