Re: Cisco Firepower 7.4.2 rules enable outbound traceroute

tryingtofixit · ‎05-16-2025

ouch, posted in wrong forum.

I have tried using the platform settings ICMP options to let windows traceroute out to the internet, failed.

Another fp admin shared me these rules below. They work, but what else do I need to do to make them secure? These are the absolute bare minimum ports that allow windows to traceroute out to the internet.

rule01: inside to outside allowing only these ports:

icmp-eq-req
icmp-time exceeded
icmp-unreachable
udp-traceroute udp-33434-33464

rule02: outside to inside allowing only these ports:
icmp-eq-req
icmp-time exceeded
icmp-unreachable
udp-traceroute udp-33434-33464
any suggestions?

ahollifield · ‎05-19-2025

Why do you want to allow traceroute?

tryingtofixit · ‎05-19-2025

useful in troubleshooting inside to outside issues with Isp's and vendors. We have some external services that won't even start a tech support ticket unless a tracert to their external site is placed inside a support ticket.

ahollifield · ‎05-19-2025

That's wild. What exactly does a trace route tell them?

tryingtofixit · ‎05-19-2025

its getting out of our firewall over the internet to their site. this helps them "know" you are not being blocked internally, or you don't have internet connectivity (fails outbound) would be my guess. something to use real quickly "Not ME, its YOU!"

ahollifield · ‎05-19-2025

yeah but just because icmp works outbound doesn't mean their app does