Traceroute and Traceroute6 Through the Palo Alto Networks firewall

Traceroute and Traceroute6 Through the Palo Alto Networks firewall

95496
Created On 09/26/18 13:48 PM - Last Modified 06/15/23 21:28 PM


Resolution


Dataplane interfaces responding to traceroute or traceroute6 UDP probes

The firewall will not respond on any interface to traceroute/traceroute6 UDP or TCP probes directed to the firewall's dataplane ports.

 

Traceroute through the Palo Alto Networks firewall

Make sure to allow application 'traceroute' on your security policy. GRE probes are identified as appliction 'gre'.

 

Traceroute6 through the Palo Alto Networks firewall

Apply ICMP probes when using traceroute6, as the Palo Alto Networks firewall does not have a signature to identify traceroute6 UDP or TCP probes with App-ID. The traceroute6 ICMP probes will be identified by the App-ID engine as 'ipv6-icmp'. Application 'ipv6-icmp' must be allowed for traceroute6 traffic.

 

On Windows: tracert -6 <IPv6_Address>

null

 

On Linux: sudo traceroute -6 -I <IPv6_Address>

null

 

On MAC OS X: traceroute6 -I <IPv6_Address>

null

 

Example of a session on the firewall identifying the application, ipv6-icmp:

null

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language