Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Disable ICMP response on the IPS management interface!

    • Updated:
    • 22 Dec 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • Platform:
Summary

Many network administrators feel that ICMP is a security risk, and should therefore always be blocked. It is true that ICMP does have some security issues associated with it, and that a lot of ICMP should be blocked. ICMP has many important features; some are useful for troubleshooting, while some are essential for a network to function correctly. This procedure will disable ICMP on the IPS management interface.

Details
Public
1. Connect to the CLI and login using a SuperUser account.
2. Check to see if ICMP is allowed by issuing the "show host" command:
 
- The output will resemble the following:
TP10# show host
Host IP                   = 192.168.2.127/24
IPv6 State                = Disabled
IPv6 Autoconfig
           = Disabled
IPv4 Default Gateway
      = 192.168.2.1
Host Name
                 = TP10
Location
                  = 224E
FIPS Active Mode
          = Disable
FIPS Cfg Mode
             = Disable
ICMP Packets              = Not Blocked
IP Filters                = 0
3. To configure the IPS to no longer respond to ICMP traffic by issuing the following command:
            conf t host ip-filter deny any icmp
 
4. Check to see if ICMP is blocked by re-issuing he "show host" command:     
- The output will resemble the following:
TP10# show host
Host IP                   = 192.168.2.127/24
IPv6 State
                = Disabled
IPv6 Autoconfig
           = Disabled
IPv4 Default Gateway
      = 192.168.2.1
Host Name
                 = TP10
Location
                  = 224E
FIPS Active Mode
          = Disable
FIPS Cfg Mode
             = Disable
ICMP Packets              = Blocked
IP Filters                = 0
5. To return to the default setting, issue the following CLI command:
            conf t host ip-filter permit any icmp
 
Note: This filter can only be used with the wildcard "any" to specify the ip-network. It is not possible to specify ranges that are able to ping the IPS and other ranges that cannot ping the IPS.
 
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000098568
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.