https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10485#M7718 <HTML><HEAD></HEAD><BODY><P>As the last response to this was in Dec 2010, are there any plans to support traceroute on unix with an App-ID anytime soon?</P></BODY></HTML> Thu, 20 Oct 2011 20:13:28 GMT msnazel 2011-10-20T20:13:28Z https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10483#M7716 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-size: 12pt; font-family: Calibri; ">Does PA support unix-style tracerouts. I have enabled ICMP and PING, but tracerouts from unix hosts through palo alto are still being denied. Looking at this a little bit further, we noticed that windows-style tracerouts use ICPMP echo requests and rely on ICMP destination unreachables ,messages, but unix-style tracerouts send UDP packets with higher end ports, and rely on ICMP port unreachanbel messages.</SPAN></P></BODY></HTML> Fri, 17 Dec 2010 15:04:51 GMT https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10483#M7716 bbivolaku 2010-12-17T15:04:51Z https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10484#M7717 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>The firewall can allow both ICMP and UDP traceroutes through.&nbsp; For Windows traceroute you would need to allow the 'ping' application.&nbsp; For Unix traceroute your outbound policy will need to be a bit more relaxed since there is no specific traceroute App-ID yet.&nbsp; When I allow all traffic through the firewall, Unix UDP traceroutes show up as "insufficient-data" in the logs.</P><P></P><P>You could manually allow Unix traceroute by configuring a Security Policy to allow UDP ports 33434 to 33534.</P><P></P><P>By default, the firewall will respond with the ICMP TTL Expired message for traceroute.&nbsp; You can suppress these messages with a Zone Protection profile.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Fri, 17 Dec 2010 17:09:46 GMT https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10484#M7717 kbrazil 2010-12-17T17:09:46Z https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10485#M7718 <HTML><HEAD></HEAD><BODY><P>As the last response to this was in Dec 2010, are there any plans to support traceroute on unix with an App-ID anytime soon?</P></BODY></HTML> Thu, 20 Oct 2011 20:13:28 GMT https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10485#M7718 msnazel 2011-10-20T20:13:28Z https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10486#M7719 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I believe there will be a separate App-ID for traceroute including UDP. Please defer to your Sales SE to determine ETA/Roadmap.</P><P></P><P>Regards,</P><P>Renato</P></BODY></HTML> Sat, 22 Oct 2011 05:47:30 GMT https://live.paloaltonetworks.com/t5/general-topics/support-on-pa-for-unix-syle-tracerouts/m-p/10486#M7719 gswcowboy 2011-10-22T05:47:30Z