A new FTD device is not like the new ASA was….
There are differences between a brand new shiny powerful FTD box and what we’re use to with the ASA’s we’ve been installing since 2005.
When you installed an ASA there were some default configs that provided security out of the box; just add your IP’s and security levels on your interfaces and you actually had some simple security. For example, the global policy inspected some default protocols and the security levels set our interface access…pretty nice…and for good measure, ICMP was not inspected on the interfaces, which added an additional security level.
With FTD, none of this is configured, which means ICMP is wide open.
To simply stop this, at a minimum, you need to set the ICMP Platform setting to disable ICMP type 8 on the Outside zone. Here is how you do that:
3. You must set the Deny rule first. Go to Objects>Ports or choose the Green + to create the objects on this page – either way. On the Object port create page, choose ICMP and Type 8, which will stop Echo, then press Save.
5. You cannot just have a Deny rule in this policy – it’s like an ACL, so you must permit something. On the ICMP main page, click Add and create a Permit rule with a new object that allows all ICMP. Pretty simple, just choose ICMP and then Save.
Before you deploy, test that you can ping the Outside interface. Then deploy and test again – now you shouldn’t be able to ping the interface.