3.17 Ensure Accept ICMP Requests is not enabled


The 'Accept ICMP requests' is a global property setting which is used to allow the ICMP requests from any location. ICMP is used to send control messages (for example, ping, destination unreachable, source quench, route change) to other systems. These rules are considered as rule zero which are executed before any user-defined rules.


If this rule is enabled, it allows the echo requests, timestamp requests, information requests, and mask requests. This can be used by a malicious user to create a denial of service condition by flooding the network with broadcast echo requests and revealing mask request information. The security policy is made up of rules in the Firewall Rule Base. Other than the rules defined by the administrator, The Check Point Security Gateway also creates Implied Rules, which are defined in the Firewall Global Properties. The Check Point Security Gateway places the implied rules first, last, or before last in the Firewall Rule Base. The administrator can decide whether or not to log implied rules.

First > The Implicit rule will be placed before the explicit rules.

Last > The Implicit rule will be placed after the explicit rules.

Before Last > The Implicit rule will be placed before the last explicit rule.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Go to the following path and Configured the Accept Accept ICMP Requests.

SmartConsole > Gateways & Servers > select each Gateway > Firewall
Unchecked the Accept Accept ICMP Requests

See Also


Item Details


References: 800-53|CM-7b.

Plugin: CheckPoint

Control ID: 21ef104aeb9e535d0f56527ab24b214ebcc1972502d14d5faf4c56d34676bef2