What is the correct rule to use to allow ICMP packets to pass through a Checkpoint Firewall-1 firewall? If you have two segments behind a firewall, and you have a rule to allow all hosts behind one of the segments to ICMP all hosts on the other segment, how do you set up the rule?
I set a rule to allow the host group for the source segment to ICMP to the host group for the destination segment. The firewall log shows an Accept when an ICMP travels from the source to the destination. But the return ICMP packet never arrives back to the source. I then tried to set a second rule to allow ICMP from the destination back to the source. This made no difference. There is no error packet in the log anywhere around the Accept for ICMP, so whatever is failing is doing so in a way that is invisible to the firewall log.
I am trying to avoid the "Allow ICMP" setting on the Properties dialog because it seems far too permissive. I want to find a more strictly correct way to enable specific ICMPs, using just the ruleset, and I want all ICMP traffic to be visible in the log.