My windows computer instances are connected to my FTD instances interfaces but cannot ping the FTD interface IP addresses. The windows computers are on the same subnet as my FTD instance.

Hello LondonX, I am not sure if the only rule in the security group inbound rules should be the example rule you posted. I do not want to lose connection to instances. I added the rule you posted referencing my instance security group. Now I have two rules in my security group and I still cannot ping from my inside Windows server on the same subnet as the FTD interface. Window server cannot ping FTD interface, both devices are on the same subnet. Note: the Windows server mgmt IP can ping the FTD mgmt interface. Should I only have the rule referencing the security group in the inbound rule

Security groups can only contain allow statements, so there's no way for them to conflict with each other. You can leave both statements. Did you attach the same SG for both the inside windows server and FTD, or are they different SGs? Perhaps you could post a screenshot.

Screenshot not pasting. Both Windows inside server and FTD are using the same security group. My security group is shown below: – sgr-0 IPv4 All traffic All All 0.0.0.0/0 Test_Network_Security_Group_Rule1

– sgr-0 – All traffic All All sg-0ebc / test_network_security_group Test_Network_Security_Group_Rule2

Your SG configuration looks to be intact. The possible reasons for connectivity issues would go as follows (not in any particular order):

• FTD interfaces were placed in different subnets than your windows instances (by accident no doubt) and you could be using non default NACLs in those subnets which require you to specify communications in both directions (otherwise all traffic is dropped): PING and REPLY. NACLs affect communications between subnets but not within the same subnet.
• FTD is not configured correctly, either not configured to reply to ICMP, the interface is turned off somehow inside the appliance or the instance itself is shutdown.
• Unlikely, but perhaps your Windows firewall is dropping the reply. May want to check on that.

Ran packet-tracer on the inside interface, found a NACL dropping icmp reply packets by configured implicit deny. Put in allow all before the implicit deny, icmp reply is still blocked Config: Implicit Rule Forward Flow based lookup yields rule: in id=0x14c465f53430, priority=501, domain=permit, deny=true hits=54, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=10.100.2.50, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,, dscp=0x0, nsg_id=none input_ifc=TEST-NETWORK_INSIDE(vrfid:0), output_ifc=any

LondonX, the FTD and windows servers are configured to allow all inbound and outbound traffic from the security group temporarily and when my setup starts working I will filter the access. I do not understand the statement about the security group must reference itself in order to permit traffic between members of the Security Group. Can you provide an example on how to config this security group traffic between SG members?

LondonX, I set all traffiic to allow all on my secuiry group and NACL and AWS still has an ACl on the FTD interface that I do not have access to, to allow all trafiic before the implicit deny. I will continue without a reference PC to confirm if ACP applied rules are being applied and affecting the PC. thank you for your help. but nothing is working.