https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29397#M21466 <HTML><HEAD></HEAD><BODY><P>Hello, I hope port 80 is added to allow web based traceroute e.g. <A href="http://centralops.net/co/" title="http://centralops.net/co/">Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6</A></P><P>Setting up security rule with service as 'application-default' should restrict allowed traffic with signature+port match only.</P></BODY></HTML> Wed, 30 Oct 2013 02:01:54 GMT ukhapre 2013-10-30T02:01:54Z https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29396#M21465 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Received a call from a client said their external scanner shows their servers behind the firewall allows tcp port 80 connections and able to passive finger those servers, but there is no firewall rule permit tcp port 80 to those servers.&nbsp; Digging it deeper, found one of the rule allows traceroute application with application default which allows icmp/dynamic, tcp/80, udp 33434-33534.&nbsp; </P><P><IMG __jive_id="9490" alt="Screen Shot 2013-10-28 at 5.48.47 PM.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9490_Screen Shot 2013-10-28 at 5.48.47 PM.png" /></P><P>I can understand icmp/dynamic and udp 33343-33534 portion, but why allow tcp port 80??</P><P></P><P>The interesting parts are,</P><P></P><P>1.&nbsp; You can't use the traceroute as application and define your own services, since services in 5.0 does not support icmp.</P><P>2.&nbsp; In most *nix system, you can customize traceroute to use any tcp/udp ports for probe, but why only permit tcp port 80?&nbsp; Why not all tcp ports and udp ports?</P><P></P><P>How are other client dealing with this issue?&nbsp; What other applications have this similar issues that we have not discovery?</P><P></P><P>Thanks,</P><P></P><P>E</P></BODY></HTML> Tue, 29 Oct 2013 00:59:42 GMT https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29396#M21465 nextgenhappines 2013-10-29T00:59:42Z https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29397#M21466 <HTML><HEAD></HEAD><BODY><P>Hello, I hope port 80 is added to allow web based traceroute e.g. <A href="http://centralops.net/co/" title="http://centralops.net/co/">Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6</A></P><P>Setting up security rule with service as 'application-default' should restrict allowed traffic with signature+port match only.</P></BODY></HTML> Wed, 30 Oct 2013 02:01:54 GMT https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29397#M21466 ukhapre 2013-10-30T02:01:54Z https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29398#M21467 <HTML><HEAD></HEAD><BODY><P>tcptraceroute is sometimes used when icmp and udp is blocked.</P><P>Port 80 is open is most environments</P><P></P><P><A href="http://www.catonmat.net/blog/tcp-traceroute/" title="http://www.catonmat.net/blog/tcp-traceroute/">http://www.catonmat.net/blog/tcp-traceroute/</A></P><P></P><P>The Programm tcptraceroute uses TCP/80 as well</P><P></P><P><A href="http://www.irongeek.com/i.php?page=backtrack-3-man/tcptraceroute" title="http://www.irongeek.com/i.php?page=backtrack-3-man/tcptraceroute">Manual Page - tcptraceroute(1)</A></P><P></P><P></P><P>Regards</P><P>Marco</P></BODY></HTML> Wed, 30 Oct 2013 14:00:12 GMT https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29398#M21467 ExclusiveNetworksGermany 2013-10-30T14:00:12Z https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29399#M21468 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>ukhapre wrote:</P> <P></P> <P>Hello, I hope port 80 is added to allow web based traceroute e.g. <A class="jive-link-external-small" href="http://centralops.net/co/" rel="noreferrer">Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6</A></P> <P>Setting up security rule with service as 'application-default' should restrict allowed traffic with signature+port match only.</P> </PRE><P>Just keep this in mind, the first 8 packets will get pass the firewall until App-ID able identify the application,&nbsp; that is plenty to perform passive finger printing to servers behind the firewall which may have tcp port 80 listen but you don't want the world to be able to probe it..</P></BODY></HTML> Wed, 30 Oct 2013 15:05:22 GMT https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29399#M21468 nextgenhappines 2013-10-30T15:05:22Z https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29400#M21469 <HTML><HEAD></HEAD><BODY><P>But why limit to only TCP 80?&nbsp; Why not TCP 443 or any tcp port?&nbsp;&nbsp; Since PAN firewall only support TCP or UDP as service,&nbsp; you can't specific the service with the application.&nbsp; The only way to lock it down is to use application default.&nbsp; </P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>ExclusiveNetworksGermany wrote:</P> <P></P> <P>tcptraceroute is sometimes used when icmp and udp is blocked.</P> <P>Port 80 is open is most environments</P> <P></P> <P><A class="jive-link-external-small" href="http://www.catonmat.net/blog/tcp-traceroute/">http://www.catonmat.net/blog/tcp-traceroute/</A></P> <P></P> <P>The Programm tcptraceroute uses TCP/80 as well</P> <P></P> <P><A class="jive-link-external-small" href="http://www.irongeek.com/i.php?page=backtrack-3-man/tcptraceroute">Manual Page - tcptraceroute(1)</A></P> <P></P> <P></P> <P>Regards</P> <P>Marco</P> </PRE></BODY></HTML> Wed, 30 Oct 2013 15:07:41 GMT https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/29400#M21469 nextgenhappines 2013-10-30T15:07:41Z https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/525353#M108645 <P>Hi&nbsp;</P> <P>&nbsp;</P> <P>I know this is an old post, but I found it as I have some odd traffic coming from an Android device, this was traceroute to the internet on port 80.</P> <P>A few apps were not working and the inclusion of this in the rule did help to fix one of them, just wanted to add that I found this article from Palo on the subject</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrNCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrNCAS</A></P> <P>&nbsp;</P> Wed, 28 Dec 2022 10:51:24 GMT https://live.paloaltonetworks.com/t5/general-topics/traceroute-application-allows-tcp-port-80/m-p/525353#M108645 laurence64 2022-12-28T10:51:24Z