I have a new set of Firepower 2130 appliances and a Management Center 1000. One of the differences between the 5525x and the Firepower is that some users can run traceroute, tracert or mtr and get useful information. Other users cannot get past their gateway. This worked correctly on the ASA 5525x but when the consultant did the conversion to the Firepower rules some weird stuff happened.
Where is traceroute, etal set up? I know the process uses ICMP and/or UDP but just allowing those outbound has not cured the problem. Is there some inspection rule I need to create?
I am also interested in this as we might migrate this year.
I've only had it a few days but, so far, I am unimpressed. Even a simple change like blacklisting the IP of a CNC server requires redeploying the entire policy. That takes five to ten minutes. Don't get me started on the HTML 5 interface.
What was Cisco thinking?
Meantime can you share your current traceroute "config ". I am having some issues to make it work on my current ASAs.
As I recall, on the ASA I first had to create an object list for the icmp types I wanted to accept from outside:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...