We have a couple of Cisco firepower firewalls inside our network, protecting certain circuits that arrive from buildings we don’t control
One of the many major annoyances with them is their invisibility to traceroute. Paul Stewart’s blog post about enabling them (forcing them to decrement the TTL as packets travel through them) seems just what the doctor ordered: https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/
Sadly our firepower management server has other opinions on the matter
While perusing some of the many, many, posts of complaint about Firepowers, I came across a similar problem with http redirects. It seems that the cisco firepower gui blacklists certain commands, but the workaround of using htt redirect outside 80 ratner than http redirect outside 80 was mentioned.
Brilliant. Sure enough adding the flexconfng command of
policy-map global_policy class class-default set connectio decrement-ttl
Does the same job, but avoids the GUI blocking the “set connection” line.
There are many problems with these terrible devices, but at least now my traceroutes are working.