https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4953611#M1105574 <P><A href="https://community.cisco.com/t5/network-security/block-icmp-to-ftd-device-interface-ip-in-fdm/td-p/4152340" target="_blank">https://community.cisco.com/t5/network-security/block-icmp-to-ftd-device-interface-ip-in-fdm/td-p/4152340</A></P> <P>use flexconfig to deny ICMP toward FTD interface (not ICMP bypass FTD)<BR /><BR />Thanks A Lot <BR />MHM</P> Sat, 04 Nov 2023 16:18:42 GMT MHM Cisco World 2023-11-04T16:18:42Z https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4951873#M1105486 <P>Hello Team,</P><P>Managing my FTDs via FMC. Needed help to restrict ICMP on outside interfaces, but allow a few internal endpoints to PING them, for SNMP and other reasons.</P><P>Once i do this under platform settings, ICMP is blocked to all, even on the permitted endpoints. Am i doing anything wrong?</P><P>Your support will be appreciated.</P> Wed, 01 Nov 2023 07:07:15 GMT https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4951873#M1105486 fmugambi 2023-11-01T07:07:15Z https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4952297#M1105503 <P>Hello fmugambi,</P> <P>Can you provide more information into what objects and ICMP service are you using for your configuration? If this configuration affects data interfaces you can also create two ACP Rules, one blocking ICMP traffic and other allowing the traffic and you can define which hosts/networks should be blocked specifically there.</P> <P>Best regards!</P> Wed, 01 Nov 2023 23:44:12 GMT https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4952297#M1105503 rveracon 2023-11-01T23:44:12Z https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4952390#M1105506 <P>Under platform settings, then a policy, ICMP Access&nbsp; , ICMP UnReachable ..</P><P>Is this the correct way?</P> Thu, 02 Nov 2023 06:09:21 GMT https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4952390#M1105506 fmugambi 2023-11-02T06:09:21Z https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4952776#M1105547 <P>what are the values here? did you use Deny as action?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HeraldSison_0-1698944834030.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201477i4E0B6960D9739A9F/image-size/medium?v=v2&amp;px=400" role="button" title="HeraldSison_0-1698944834030.png" alt="HeraldSison_0-1698944834030.png" /></span></P><P>&nbsp;</P> Thu, 02 Nov 2023 17:07:44 GMT https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4952776#M1105547 Herald Sison 2023-11-02T17:07:44Z https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4953031#M1105552 <P>Yes I did, and a different entry for permit for endpoints I would wish to reach this ICMP.</P><P>But ends up blocking all endpoints.</P><P>I as well presume it evaluates the rules top-down, correct?</P> Fri, 03 Nov 2023 05:50:23 GMT https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4953031#M1105552 fmugambi 2023-11-03T05:50:23Z https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4953424#M1105568 <P>Hello fmugambi,</P> <P>&nbsp;</P> <P>Is there a particular reason why you are using ICMP type 3 (destination unreachable)? What might be happening is that you declare a rule for ICMP 3 denying traffic, then you permit ICMP 3 traffic on other rules, but the actual type you receive on the firewall are type 8 (ICMP requests). So what ends up happening like any kind of ACL is that there is no rule allowing that traffic which ends up dropping everything on the implicit deny rule that exists.</P> <P>&nbsp;</P> <P>Try creating an ICMP rule with type 8 (echo requests) allowing some hosts and test if those hosts can ping again.</P> <P>&nbsp;</P> <P>Best regards!</P> Fri, 03 Nov 2023 23:05:09 GMT https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4953424#M1105568 rveracon 2023-11-03T23:05:09Z https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4953611#M1105574 <P><A href="https://community.cisco.com/t5/network-security/block-icmp-to-ftd-device-interface-ip-in-fdm/td-p/4152340" target="_blank">https://community.cisco.com/t5/network-security/block-icmp-to-ftd-device-interface-ip-in-fdm/td-p/4152340</A></P> <P>use flexconfig to deny ICMP toward FTD interface (not ICMP bypass FTD)<BR /><BR />Thanks A Lot <BR />MHM</P> Sat, 04 Nov 2023 16:18:42 GMT https://community.cisco.com/t5/network-security/icmp-block-on-ftds/m-p/4953611#M1105574 MHM Cisco World 2023-11-04T16:18:42Z