This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Support on PA for UNIX-Syle tracerouts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Support on PA for UNIX-Syle tracerouts

Go to solution
bbivolaku
Not applicable

‎12-17-2010 07:04 AM

Does PA support unix-style tracerouts. I have enabled ICMP and PING, but tracerouts from unix hosts through palo alto are still being denied. Looking at this a little bit further, we noticed that windows-style tracerouts use ICPMP echo requests and rely on ICMP destination unreachables ,messages, but unix-style tracerouts send UDP packets with higher end ports, and rely on ICMP port unreachanbel messages.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
kbrazil
L4 Transporter

‎12-17-2010 09:09 AM

Hi there,

The firewall can allow both ICMP and UDP traceroutes through.  For Windows traceroute you would need to allow the 'ping' application.  For Unix traceroute your outbound policy will need to be a bit more relaxed since there is no specific traceroute App-ID yet.  When I allow all traffic through the firewall, Unix UDP traceroutes show up as "insufficient-data" in the logs.

You could manually allow Unix traceroute by configuring a Security Policy to allow UDP ports 33434 to 33534.

By default, the firewall will respond with the ICMP TTL Expired message for traceroute.  You can suppress these messages with a Zone Protection profile.

Cheers,

Kelly

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
kbrazil
L4 Transporter

‎12-17-2010 09:09 AM

Hi there,

The firewall can allow both ICMP and UDP traceroutes through.  For Windows traceroute you would need to allow the 'ping' application.  For Unix traceroute your outbound policy will need to be a bit more relaxed since there is no specific traceroute App-ID yet.  When I allow all traffic through the firewall, Unix UDP traceroutes show up as "insufficient-data" in the logs.

You could manually allow Unix traceroute by configuring a Security Policy to allow UDP ports 33434 to 33534.

By default, the firewall will respond with the ICMP TTL Expired message for traceroute.  You can suppress these messages with a Zone Protection profile.

Cheers,

Kelly

0 Likes Likes

Go to solution
msnazel
L0 Member
In response to kbrazil

‎10-20-2011 01:13 PM

As the last response to this was in Dec 2010, are there any plans to support traceroute on unix with an App-ID anytime soon?

0 Likes Likes

Go to solution
gswcowboy
L6 Presenter
In response to msnazel

‎10-21-2011 10:47 PM

Hi,

I believe there will be a separate App-ID for traceroute including UDP. Please defer to your Sales SE to determine ETA/Roadmap.

Regards,

Renato

0 Likes Likes
  • 1 accepted solution
  • 3226 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks