Re: ICMP BLOCK ON FTDs

fmugambi · ‎11-01-2023

Hello Team,

Managing my FTDs via FMC. Needed help to restrict ICMP on outside interfaces, but allow a few internal endpoints to PING them, for SNMP and other reasons.

Once i do this under platform settings, ICMP is blocked to all, even on the permitted endpoints. Am i doing anything wrong?

Your support will be appreciated.

rveracon · ‎11-01-2023

Hello fmugambi,

Can you provide more information into what objects and ICMP service are you using for your configuration? If this configuration affects data interfaces you can also create two ACP Rules, one blocking ICMP traffic and other allowing the traffic and you can define which hosts/networks should be blocked specifically there.

Best regards!

fmugambi · ‎11-01-2023

Under platform settings, then a policy, ICMP Access , ICMP UnReachable ..

Is this the correct way?

Herald Sison · ‎11-02-2023

what are the values here? did you use Deny as action?

fmugambi · ‎11-02-2023

Yes I did, and a different entry for permit for endpoints I would wish to reach this ICMP.

But ends up blocking all endpoints.

I as well presume it evaluates the rules top-down, correct?

rveracon · ‎11-03-2023

Hello fmugambi,

Is there a particular reason why you are using ICMP type 3 (destination unreachable)? What might be happening is that you declare a rule for ICMP 3 denying traffic, then you permit ICMP 3 traffic on other rules, but the actual type you receive on the firewall are type 8 (ICMP requests). So what ends up happening like any kind of ACL is that there is no rule allowing that traffic which ends up dropping everything on the implicit deny rule that exists.

Try creating an ICMP rule with type 8 (echo requests) allowing some hosts and test if those hosts can ping again.

Best regards!

MHM Cisco World · ‎11-04-2023

https://community.cisco.com/t5/network-security/block-icmp-to-ftd-device-interface-ip-in-fdm/td-p/4152340

use flexconfig to deny ICMP toward FTD interface (not ICMP bypass FTD)

Thanks A Lot
MHM