On Windows host, tracert the external ip address through firewall. Ip of firewall is hidden for host.
Use the command “ip ttl-expires enable” to make USG reply a timeout packets to ICMP packet whose ttl is 0. In this way, Windows host would display the ip address of firewall.
When device received an ICMP packet whose ttl is 0, it would reply an ICMP packets whose ttl is timeout. So the Windows host would display the ip address of device. But USG would drop the ICMP packet whose ttl is 0 in the default setting, so ip of firewall is hidden for pc.