The MX default firewall changed and my Security Appliances now drop all external ICMPv4 pings. This is a good thing, except I'm really weak on how to create groups and objects to re-permit from expected sources, like monitoring apps/locations like my backbone ISP monitoring ping tests. It's complicated by the fact that my branch networks are bound to one shared template, so I can't individually configure each branch with a narrow firewall profile.
Example, which re-enables tests from my hub campus to the remote branch LANs (via VPN):
| Policy | Rule Description | Protocol | Source | Src port | Destination | Dst port |
| Allow | Allow pings - Hub | ICMPv4 | Hub Private, Hub Public | Any | Internal LANs | Any |
I can define 'Internal LANs' easily because they're all uniform. This is in place and works, easy enough.
I need:
| Allow | ISP pings | ICMPv4 | ISP IPv4 Addresses (or Any?) | Any | External WAN | Any |
I need to know how to define the 'External WAN port' group or object without listing every branch MAC interface port, or IP address (most are dynamic at the mercy of the ISP), or inputing over 100 variables for my devices and tens of IP ranges for all of my varied ISPs.
Thanks for any suggestions or recommendations.
