Our security geeks want to know if I can turn off ICMP to our outside interface. The don't want any outsiders to hit us with a ping sweep or ping attack.
BTW, I am an "infrastructure" geek ;-)
in order to protect the concentrator from dos attack, the concentrator should be deployed behind a firewall with nat as well as acl permitting the required protocol and port e.g. udp 500.
the firewall should be capable to secure the concentrator from dos attack etc. it's probably too late to stop the attack once the attack hits the concentrator.
under Configuration > interfaces > public interface is a filter assigned to this interface. This filter you can configure for your needs.
Under configuration -> policy management -> traffic management -> filters you can assign rules for your filter for the public interface. Here you can remove the ICMP rule from the current rules in filter to disallow ICMP.
Hope that helps and brgds
As IPSec do PMTUD for all the packets, it is important that ICMP "unreachable" (Type: 3) messages are able to reach the concentrator.
Would suggest allowing this as well as ICMP "time exceeded" message (Type: 11) rather than blocking full ICMP.