Hi team,
We are currently running ThousandEyes POV.
Since our FTD is not allowing traceroute through it, the path visualisation part is not showing the correct path.
We have 2 BGP peers to SaaS with ECMP, but FTD is not allowing traceroute it looks like source to destination and destination to sauce is taking different path. The FTD should be where I pointed at.
I've found the below Cisco doc to allow traceroute through the firewall and thinking of applying this change to allow traceroute.
Allow Traceroute through Firepower Threat Defense (FTD) - Cisco
Before I do, I have a a few questions:
- security implications of allowing traceroute on perimeter firewall?
- once the change is made, would this allow traceroute from anywhere, or only between hosts explicitly allowed in the ACP?
- and what the optional Step 3 is for?
"Step 3. Permit ICMP on Inside and Outside, and Increate the Rate Limit to 50 (optional).
Navigate to Devices > Platform Settings and then Edit or Create a new Firepower Threat Defense platform settings policy and associate it to the device. Choose ICMP from the table of content and Increase the Rate Limit. For example, to 50 (You can ignore the Burst Size) and then click Save, and proceed to Deploy the Policy to the device, as shown in the image:
Rate Limit—Sets the rate limit of unreachable messages, between 1 and 100 messages per second. The default is 1 message per second.
Burst Size—Sets the burst rate, between 1 and 10. This value is not currently used by the system.
I'm waiting for Cisco to come back with the answers as well, but thought to ask here too.
Many thanks in advance.
Accepted Solutions
