How to hide Palo Alto Networks firewall from trace route

How to hide Palo Alto Networks firewall from trace route

37258
Created On 09/25/18 17:41 PM - Last Modified 06/08/23 06:27 AM


Symptom


Symptoms

  • When anyone does a trace-route to a server behind the Palo Alto Networks firewall, the outside interface IP should not be displayed in the trace results.
  • When internal users go to the internet, the Palo Alto Networks inside interface should not be displayed in trace results.
  • Want to hide the Palo Alto Networks firewall from a trace route? Learn how.

Diagnosis

We can restrict an  interface from sending TTL expire message, used for discovering hops by using zone protection profile.

Resolution


Hiding an interface from trace results

Trace-route works by sending packets with gradually increasing TTL value, starting with TTL 1.

The first L3 device receiviny the packet decrements the TTL and drops the packets as the TTL then has a value of 0. At the same time, the  L3 device sends an ICMP Time Exceeded message back to the sender (but with this, a hop is discovered).

 

When the source receives the Time Exceeded message, it increases the TTL value and this process goes on till it receives a destination port unreachable message. 

 

So, in order to hide any interface from trace results, we have to restrict that interface from sending an ICMP Time Exceeded message, which can be done by using a zone protection profile.

 

 Case 1:  Trace results when no zone proctection profile is configured

 

interface.PNG

Doing a trace route to a Google DNS server from an internal host, you will observe Palo Alto Networks firewall as a first hop.

 

C:\Users\Administrator>tracert -d 8.8.8.8

 

Tracing route to 8.8.8.8 over a maximum of 30 hops

 

1 1 ms <1 ms <1 ms 10.50.240.73    <<< Palo Alto Netowks firewall Inside Interface >>Also the  gateway for inside users
2 1 ms 1 ms 1 ms 10.50.241.75
3 5 ms 4 ms 3 ms 103.245.157.17
4 10 ms 4 ms 14 ms 103.245.157.177
5 6 ms 31 ms 5 ms 182.74.212.225
6 268 ms 27 ms 129 ms 182.79.243.26
7 27 ms 5 ms 11 ms 72.14.242.178
8 6 ms 13 ms 14 ms 72.14.236.57
9 14 ms 6 ms 5 ms 66.249.94.189
10 * 17 ms 22 ms 8.8.8.8

Trace complete.

 

Note:  The management profile is only for the traffic destined to that interface. Any passthrough traffic will not consider the management profile. Also, using a security policy will not hide an interface from a trace.

 

Case 2: Trace results with zone protection profile

 

To hide the Palo Alto Networks firewall from trace route,  enable  Suppress ICMP TTL Expired Error,  which breaks the traceroute functionality, (stops sending ICMP TTL expired messages).


As the TTL Time Exceeded message will never make it to the source  ( applied on the interface using zone protection), Palo Alto Networks hides its identity.

 

3.PNG

 

 

4.PNG

 

 

Trace results after applying zone protection profile:

 

C:\Users\Administrator>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

 

1 * * * Request timed out.         * * * Indicates that Firewall settings keep it from revealing its identity.
2 1 ms 1 ms 1 ms 10.50.241.75
3 186 ms 24 ms 4 ms 103.245.157.17
4 212 ms 112 ms 20 ms 103.245.157.177
5 240 ms 170 ms 247 ms 182.74.212.225
6 233 ms 381 ms 160 ms 182.79.243.26
7 213 ms 77 ms 155 ms 72.14.242.178
8 7 ms 11 ms 8 ms 72.14.236.57
9 64 ms 52 ms 56 ms 66.249.94.189
10 17 ms 16 ms 7 ms 8.8.8.8

Trace complete.

 

So, If you want to hide your Palo Alto Networks firewall from a trace route, use the above method.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIACA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language