Firewall rule configured to block ping.exe does not block all traffic generated by ping

book

Article ID: 155864

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Firewall policy has been created with only two rules:

  •  the first one which is blocking all traffic from ping.exe
  •  the second one below allows all the traffic

 

Then if "ping -t IPADDRESS" is executed, some pings are passing through the firewall and sending back replies.

 

List of "General failure.", which is expected behavior, and some unexpected "Reply from ...".

 

Cause

  • SEP Firewall logs show that pings passing through are not executed by ping.exe but ntoskrnl.exe.

 

Resolution

Change the rule to block ICMP protocol rather than ping application.

Applies To

  • Unmanaged SEP 12.1 client with Network Threat Protection installed and rule to block ping.exe added.

 

Attachments