Solved: Re: Traceroute through FTD - Page 2

Colin Higgins · ‎01-31-2019

I am trying to get traceroute to work from my internal network to the Internet through a FTD2110 managed by FMC running 6.2.3 code

I created an access policy allowing ICMP type 3 and 11 from the outside to the inside. I added ICMP permit statements in the Platform Settings for the device (3 and 11 on the outside interface to any-ipv4).

I also added the Flex config statement to decrement the TTL

But this still isn't working. Is this a bug? Unsupported?

sherali mamatkarimov · ‎05-31-2024

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>

How did you enabled this in FDM can't find?

Marvin Rhoads · ‎05-31-2024

This can be done in FDM using a Flexconfig object and policy:

sherali mamatkarimov · ‎10-08-2025

That error in FMC

Marvin Rhoads · ‎10-08-2025

@sherali mamatkarimov FMC has included the feature to decrement TTL in the GUI natively since several releases ago. (My post mentioning using flexconfig for FMC was from 2019.) See Advanced Settings for your Access Control Policy and look under Threat Defense Service Policy. You add the ICMP rate limit and burst size settings in the platform policy.