Enabling the ping operation on the interface of the firewall

9

Allow or prohibit the ping operation on the USG interface as follows:

CLI
[USG]int g9/0/1
[USG-GigabitEthernet9/0/1]service-manage enable/Enable the access management function on the interface.
[USG-GigabitEthernet9/0/1]service-manage ping permit/Allow the ping operation on the interface.
[USG-GigabitEthernet9/0/1]service-manage ping deny/Prohibit the ping operation on the interface.


Web UI
1. Choose Network > Interface, select the interface for which the ping operation is to be enabled, and click Edit.
2. Select Access Management.
3. Select ping and click OK.
Deselect ping and click OK to disable the ping operation.

Other related questions:
Can the IP address of a VLANIF interface in a DAI-enabled VLAN be successfully pinged
Dynamic ARP Inspection (DAI) is enabled in a VLAN or on a physical interface in the VLAN, and VLANIF interfaces are configured in the VLAN. To successfully ping the IP address of the VLANIF interface from the VLAN or the physical interface in the VLAN, the source IP address of the ping packet must match an entry in the static DHCP snooping binding table.

How to locate the ping failure
When the ping operation fails, locate the fault based on the following troubleshooting roadmap: 1. Check whether the AR interface is Up and whether the IP address is configured correctly. Command: display interface brief and display ip interface [ < interface-type > < interface-number > ] 2. If a Layer 2 interface is used, check whether STP is running on the AR and check whether the physical interface where ping packets pass is blocked. Command: display stp [ instance < instance-id > ] [ interface < interface-type > < interface-number > ] [ brief ] 3. Check whether routes are reachable: If routes are unreachable, troubleshoot the fault. Command: display ip routing-table 4. Check whether policies are configured on local and remote devices. If the remote device is a firewall, check whether the remote interface is added to a zone and whether the inter-zone rule is enabled. 5. Check whether ARP entries of the direct route are learned correctly. If ARP entries cannot be learned, check whether strict ARP learning is enabled. Disable strict ARP learning and try again. If the fault persists, perform the ping operation on one device and check whether ARP request packets are sent out from the interface and whether the remote device sends ARP reply packets based on ARP packet statistics. Commands: display arp and display arp learning strict 6. If there is no preceding problem, collect statistics on ICMP packets, determine the position where packets are lost and locate the packet loss point.

Use the USG firewall ping command.
The USG2000 & 5000 & 6000 ping command is interpreted and used as follows: The ping (Packet Internet Groper) command is the most common debugging tool for detecting network device accessibility. It uses the echo information of ICMP (ICMP6 for IPv6) to determine: 1. Whether the remote device is available. 2. The round-trip delay of communication with the remote host. Packet (packet) of the loss of the situation. The ping command is mainly used to check whether the network connection and the host are reachable. E.g: Check whether the host with IP address 10.1.1.2 is reachable. E.g: ping 10.1.1.2 Ping 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes = 56 sequence = 1 ttl = 255 time = 1ms Reply from 10.1.1.2: bytes = 56 sequence = 2 ttl = 255 time = 2ms Reply from 10.1.1.2: bytes = 56 sequence = 3 ttl = 255 time = 1ms Reply from 10.1.1.2: bytes = 56 sequence = 4 ttl = 255 time = 3ms Reply from 10.1.1.2: bytes = 56 sequence = 5 ttl = 255 time = 2ms - 10.1.1.2 ping statistics-- 5 passengers transmitted 5 packets received 0% packet loss Round-trip min / avg / max = 1/2/3 ms

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top