Background
tracepath is a Unix/Linux-based utility similar to traceroute. However, the differences between the two are
- tracepath does not require users to have root privilege.
- tracepath uses (and only uses) UDP with random high port. traceroute (on Unix/Linux) by default also uses UDP with range destination port 33434-33534, but has an option to switch to ICMP (Windows traceroute always use ICMP).
Note: This is applicable for PAN-OS 5.0 or later.
Detail
If a security rule only allows application "traceroute" and service "application-default" and there is no other subsequent rule to permit tracepath traffic then its UDP packet will get dropped.
Security Policy | Traffic Log |
---|
| |
Explanation: This is because tracepath uses UDP with random high port. If a service is set to "application-default", tracepath could get denied because in App-ID signature the standard port range for traceroute only includes icmp/any and udp/33434-33534.
Solution
There are two possible solutions:
1) Configure the security rule to allow application "traceroute" and service "any". You will also need to allow application "icmp" and "ping" as well because these two are application dependency for traceroute.
Security Policy | Traffic Log |
---|
| |
2) Instruct users to run tracepath with a specific "starting" destination port 33434. Note in the traffic log, the destination port increments from 33434 for each hop. Again, allowing application icmp & ping is still needed due to the traceroute application dependency.
Security Policy | Traffic Log |
---|
| |
See also
Can a Policy be Configured to Allow Traceroute?