Traceroute dropped by the firewall due to specific Zone Protection settings

Traceroute dropped by the firewall due to specific Zone Protection settings

50859
Created On 09/25/18 19:50 PM - Last Modified 06/14/23 06:24 AM


Symptom


Symptoms

 

This article discusses the issue of traceroute being dropped by the firewall due to application of a 'Zone Protection' profile with specific options.

 

  •  Traceroute failing to show any hops between the source and destination except the destination,
      the firewall and the hops preceeding the firewall:

           TR drop.png

         

 

  •  Traffic for concerned source and destination hosts can be seen as 'ping' and 'traceroute' in the traffic logs with action as 'allow.'

 

Diagnosis

 

  •  The behaviour of hops timing out is seen because the firewall is dropping the 'TTL exceeded in Transit' message (Type:11, Code:0) from these hops.

 

  • The option configured under Zone Protection profile which is applied on the Untrust Zone is 'Discard ICMP embedded with error message,' therefore the behaviour is expected. This can be seen under the following hierarchy:

    Network > Zone Protection Profile > Packet Based Attack Protection > ICMP Drop > Discard ICMP embedded with error message

 

  • The packet drops can be seen in global counters as: Packets dropped: Zone protection option 'discard-icmp-error'

         GC2.png


Note that 27 packets are being dropped, 3 packets per 9 hops.

Resolution


 

Allow ICMP error packets so the source receives them to populate the intermediate hops. Uncheck the option 'Discard ICMP embedded with error message' under the Zone Protection Profile:

 

 option unchecked.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfsCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language