When you ping something you' re sending an ICMP echo packet to the target, which responds. When you use trace route, you' re also sending an ICMP echo packet except this time you' re using varying TTLs until you finally reach the target. Both methods use ICMP echo packets. There is no special " traceroute request" that can be dropped. If you' ve disabled ICMP Echo (PING) to the FGT, then you are dropping the traceroute requests. When you run tracert again, you will find that the FGT will not answer. It will appear as " *" . But, tracert is still going to list the box as being there because the box is still routing traffic. It won' t be invisible in the way you' re talking about unless you put the box into Transparent mode. Then yes, you will loose some services since the box will be essentially a very feature-rich switching device versus being a gateway device. Check here for a Microsoft description of tracert: http://support.microsoft.com/default.aspx?scid=kb;en-us;217014

Hmmm... UDP, eh? Ok... I was able to dig up a " man" page on traceroute from somewhere. It does seem to use a UDP datagram versus an ICMP Echo like Windows uses. I didn' t know that. My explanation above was for the Windows tracert command. The only way I can think of doing what you want is to take a look under the IPS Signatures, specifically under ICMP. You can also try setting up a custom service to block this UDP packet explicitly or an ICMP service to block the response. Other than that, I' m not sure. It' s too bad that the FGT responds at all. There should be an option for the FGT to simply drop those. Good luck!