Solved: FTD Rules

Otvforte · ‎07-08-2025

I'm learning the basics of FTD (FP1010) and doing some tests. Using FDM, I create an ACE Rule to block ICMP (any type, any network). It’s the first rule on top of other policies, setup as Block and log. I can see the rule being triggered if I try to ping an external destination like 8.8.8.8, but not if I ping the LAN address of FTD. The same way, this rule is ineffective to block pings from Outside to the WAN address of FTD.

I’ve read some Cisco documents, but I couldn't fully understand this behavior yet. Could explain ?

Thank you,

MHM Cisco World · ‎07-08-2025

concern or not

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v76.html

there is huge different between FMC and FDM
some feature need FMC
check this guide how you harden the FTD

MHM

View solution in original post

wajidhassan · ‎07-08-2025

Hi @Otvforte ,

This behavior is expected with Cisco FTD ACE rules. The ACE policies apply only to traffic passing through the FTD, not to traffic destined to or originating from the FTD device interfaces themselves.

When you ping an external IP (like 8.8.8.8), the traffic passes through the FTD, so the ACE rule blocks it as configured.
However, pings directed to the FTD’s own LAN or WAN interface IP addresses are handled internally by the device’s management plane and are not subject to ACE policies.

To control ICMP to the FTD interfaces, you need to configure ICMP filtering or management access controls within the FTD’s device management settings or platform configuration.

Rob Ingram · ‎07-08-2025

@Otvforte the Access Control policy controls traffic routed "through" the FTD, not "to" the FTD itself.

MHM Cisco World · ‎07-08-2025

To the box

Use ACL control plane

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

Through the Box

Use ACL (what you config)

MHM

Rob Ingram · ‎07-08-2025

FYI, control plane ACL does not filter ICMP traffic to the FTD/ASA's interface.

Otvforte · ‎07-08-2025

Understood, thanks for all answers. By this default behavior, I understand that blocking ICMP on Wan public interface is not a concern, right ?

Rob Ingram · ‎07-08-2025

@Otvforte I don't think you can restrict ICMP to the FTD itself when using FDM, you can if using FMC for management under the Platform Settings. You may be able to apply the ASA equivalent commands "icmp deny x.x.x.x" using Flexconfig on FDM, I've never tried though and the command may be blocklisted.

If it is a concern, apply an ACL in the router in front of the FTD and deny icmp to the FTD's WAN interface IP address and permit the rest of the traffic.