FW-1 4.1 does not do stateful ICMP, so you will have to explicitly define a rule for each direction, or an local remote icmp-proto accept remote local
CryptoTech Clarrisa Wright wrote: > hello > > i would like to allow icmp and traceroute between 2 networks on either side > of my firewall. I am wondering if i have to turn on "Accept ICMP Before > Last" in the policy properties, because obviously one of the hops from > subnet to subnet will be the firewall interfaces on both sides. i have > found that if i uncheck "Accept ICMP" in the policy, i get timeout marks > like this: * * * when the traffic hits the firewall. I don't want to keep > this on unless i have to. any ideas? Can't I just have "Accept ICMP" > unchecked and put in explicit ping rules? > > thanks :) > > -Sa > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
