Share via

Azure Firewall ICMP Protocol

Prachi D 40 Reputation points
2025-01-24T15:31:31.38+00:00

Hi,

I need to allow Domain Controller on Azure platform which is behind Azure Firewall to communicate with Domain Controller of customer. For that I need to allow ICMP Protocol. When I tried to allow ICMP in firewall network rule I get to know that it is compulsory to mention port for ICMP Protocol as well.

In this case what I can put in port or can I put wildcard (*) if there is no specific port. Will that cause any security issue if i put port as *

One more thing I have to add bidirectional rules for connectivity from my dc to client dc and viseversa in that case do I need to create seperate inbound and outbound rule or just one is enough, if only one is enough then what will happen if i mention both inbound and outbound seperately.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
711 questions
Accepted answer
  1. Sai Prasanna Sinde 3,495 Reputation points Microsoft Vendor
    2025-01-27T09:36:27.0633333+00:00

    Hi @prachi deokate

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    Please go through the below points:

    • Yes, when adding ICMP as a protocol in Azure Firewall's network rules, it asks for a port. This is a bit misleading because ICMP doesn't traditionally use ports like TCP or UDP
    • When Azure Firewall prompts for a port for ICMP, you must enter a value. However, because ICMP doesn't use ports, the value you enter is essentially ignored. A common practice is to use "*" or "any" in this field.
    • Using * for the port in an ICMP rule within Azure Firewall does not pose a significant security risk.
    • Azure Firewall will correctly interpret this rule as applying to all ICMP traffic, regardless of the port specified. This is because the firewall fundamentally understands how ICMP works.
    • Azure Firewall interface likely uses a consistent format for all network rules, regardless of the protocol. This simplifies the user experience and internal processing.
    • Even though the port field isn't meaningful for ICMP, it's included to maintain this consistency.
    • For bidirectional communication between your domain controller and the client's domain controller, you'll need to think about the directionality of traffic initiation
    • Both sides initiate connections. If either domain controller can initiate the connection to the other, then you will indeed need two separate rules in your Azure Firewall:
    • Rule 1 (Outbound from your DC): Allows ICMP from your DC IP (Source) to the client DC's IP (Destination).
    • Rule 2 (Inbound to your DC): Allows ICMP from the client DC IP (Source) to your DC's IP (Destination).
    • Only one side initiates. If only your DC initiates connections to the client DC, then you might only need a rule that allows outbound traffic from your side.
    • However, the client DC still needs to be allowed to send ICMP replies to your DC. You may need to use application rules to create an allow list for responses.
    • Azure Firewall is stateful. This means that if you allow outbound traffic, the firewall will automatically permit the corresponding inbound response without needing a separate inbound rule, as long as the response is part of the same established connection.
    • However, if the client DC initiates a new connection at a later time, the inbound rule would be necessary for both side connection.
    • If you create both inbound and outbound rules when only one is strictly required, it generally won't cause problems.
    • The firewall will process the rules, and in many cases, the redundant rule simply won't be used. However, it's generally best practice to configure only the necessary rules to keep your firewall configuration clean and easier to understand.
    • Try to create both inbound and outbound rules to begin with. This will ensure bidirectional communication works regardless of who initiates.
    • Test thoroughly. Use ping and other relevant tools to verify connectivity from both your DC to the client's DC and vice versa.
    • Review the Firewall Logs. Azure Firewall provides detailed logs. Analyze them to understand the traffic flow and which rules are being hit. For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-firewall-logs

    Kindly let us know if the above helps or you need further assistance on this issue.

    If it was helpful, please click "Upvote and Accept Answer" on this post to let us know.

    We're here to help, so if you have any further questions, don't hesitate to ask.

    Thanks,

    Sai.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.