topic Re: FTD Rules in Network Security

FTD Rules

Otvforte — Tue, 08 Jul 2025 13:47:37 GMT

I'm learning the basics of FTD (FP1010) and doing some tests. Using FDM, I create an ACE Rule to block ICMP (any type, any network). It’s the first rule on top of other policies, setup as Block and log. I can see the rule being triggered if I try to ping an external destination like 8.8.8.8, but not if I ping the LAN address of FTD. The same way, this rule is ineffective to block pings from Outside to the WAN address of FTD.

I’ve read some Cisco documents, but I couldn't fully understand this behavior yet. Could explain ?

Thank you,

Re: FTD Rules

wajidhassan — Tue, 08 Jul 2025 13:53:02 GMT

Hi @Otvforte ,

This behavior is expected with Cisco FTD ACE rules. The ACE policies apply only to traffic passing through the FTD, not to traffic destined to or originating from the FTD device interfaces themselves.

When you ping an external IP (like 8.8.8.8), the traffic passes through the FTD, so the ACE rule blocks it as configured.
However, pings directed to the FTD’s own LAN or WAN interface IP addresses are handled internally by the device’s management plane and are not subject to ACE policies.

To control ICMP to the FTD interfaces, you need to configure ICMP filtering or management access controls within the FTD’s device management settings or platform configuration.

Re: FTD Rules

Rob Ingram — Tue, 08 Jul 2025 13:53:09 GMT

@Otvforte the Access Control policy controls traffic routed "through" the FTD, not "to" the FTD itself.

Re: FTD Rules

MHM Cisco World — Tue, 08 Jul 2025 14:11:54 GMT

To the box

Use ACL control plane

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

Through the Box

Use ACL (what you config)

MHM

Re: FTD Rules

Rob Ingram — Tue, 08 Jul 2025 14:39:22 GMT

FYI, control plane ACL does not filter ICMP traffic to the FTD/ASA's interface.

Re: FTD Rules

Otvforte — Tue, 08 Jul 2025 16:16:22 GMT

Understood, thanks for all answers. By this default behavior, I understand that blocking ICMP on Wan public interface is not a concern, right ?

Re: FTD Rules

Rob Ingram — Tue, 08 Jul 2025 16:31:14 GMT

@Otvforte I don't think you can restrict ICMP to the FTD itself when using FDM, you can if using FMC for management under the Platform Settings. You may be able to apply the ASA equivalent commands "icmp deny x.x.x.x" using Flexconfig on FDM, I've never tried though and the command may be blocklisted.

If it is a concern, apply an ACL in the router in front of the FTD and deny icmp to the FTD's WAN interface IP address and permit the rest of the traffic.

Re: FTD Rules

MHM Cisco World — Tue, 08 Jul 2025 16:58:27 GMT

Use control plane

If not work inform me I will share other solution

MHM

Re: FTD Rules

Rob Ingram — Tue, 08 Jul 2025 17:06:31 GMT

@MHM Cisco World wrote:

Use control plane

If not work inform me I will share other solution

MHM

@MHM Cisco World

Re: FTD Rules

MHM Cisco World — Tue, 08 Jul 2025 17:18:21 GMT

concern or not

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v76.html

there is huge different between FMC and FDM
some feature need FMC
check this guide how you harden the FTD

MHM

Re: FTD Rules

Otvforte — Tue, 08 Jul 2025 18:39:20 GMT

Thank you, I'll try learning / using ACL control plane.