Block ICMP to FTD Device Interface IP in FDM

MxShay — Wed, 16 Sep 2020 21:59:37 GMT

Hello everyone,

I have a small Firepower 1010 appliance without FMC. One requirement here is to block pings to the IPs of the device / its interfaces.
My research revealed that this setting can be set in the FMC via the platform settings using ICMP rules.
But since I only manage the appliance via the FDM, how can I block incoming pings directed to the firewall itself? Within the WebUI I did not find a corresponding setting, the same applies to the CLI.

Cheers and thanks!

Re: Block ICMP to FTD Device Interface IP in FDM

Francesco Molino — Thu, 17 Sep 2020 02:58:27 GMT

At the bottom of the main dashboard on FDM, go to Advanced Configuration.

Create a Flexconfig Object like:

icmp deny any inside

and the following command on negate field:

no icmp deny any inside

It could also be:

icmp permit x.x.x.x 255.255.255.0 inside

and the following on negate field:

no icmp permit x.x.x.x 255.255.255.0 inside

Then attach this object on Flexconfig policy and deploy the config.

The platform setting ICMP configuration on FMC pushes this configuration directly to lina and let you avoid creating a manual flexconfig.

topic Block ICMP to FTD Device Interface IP in FDM in Network Security

Block ICMP to FTD Device Interface IP in FDM

Re: Block ICMP to FTD Device Interface IP in FDM