10-11-2019 11:45 PM - edited 02-21-2020 09:35 AM
10-12-2019 04:41 AM
Try removing the "icmp..." line and putting that in a separate FlexConfig object.
Also make sure you've typed in the line manually and not pasted it from an external text editor.
It works fine on my FMC (currently running 6.5.0 but this config has been in place since 6.1.x):
10-12-2019 05:54 AM
Hi,
The flexconfig method certainly worked before on older versions of FTD, but I've recently deployed FTD 6.4 and I recieved the same error "error - unsupported CLI" as you do.
This cisco documentation provides provides the new method to configure. You will need to define and extended ACL, then define a "Threat Defense Service Rule" under the Access Control Policy > Advanced settings.
ACL
Threat Defense Service Policy
Once configured the output on the CLI is the same syntax as before, I assume Cisco has just removed the ability to configure via Flexconfig in newer versions.
HTH
10-12-2019 07:51 PM
Good catch @Rob Ingram!
It looks like upgraded FMC carries forward the old syntax but new installations require you to use the new method. That's confusing to say the least.
10-13-2019 06:46 AM
Thank you for your answer
But the problem still exists
marvin , RJI
I did all that you said , But when I write the word (connection ), the problem is correct
10-13-2019 12:28 PM
Hi,
I think you did not read my comment properly, you cannot configure this command using Flexconfig on newer versions of FTD.
As per the cisco guide here, you need to define an Extended ACL and modify the Threat Defense Service Policy to reference the ACL and then tick the box to "Enable Decrement TTL". See the screenshots I previously provided.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide