How to allow tracepath (Unix/Linux utility)

How to allow tracepath (Unix/Linux utility)

55487
Created On 09/26/18 13:49 PM - Last Modified 05/28/25 09:35 AM


Resolution


Background

 

  • Traceroute is a powerful network diagnostic tool used in Linux to map the path packets take from the client to a destination. It helps pinpoint network delays, identify unreachable hops, and troubleshoot routing issues.
  • Tracepath is a Unix/Linux-based utility similar to traceroute. However, the differences between the two are:
    1. Tracepath does not require users to have root privilege.
    2. Tracepath uses (and only uses) UDP with random high port. traceroute (on Unix/Linux) by default also uses UDP with range destination port 33434-33534, but has an option to switch to ICMP (Windows traceroute always use ICMP).

 

Note: This is applicable for PAN-OS 5.0 or later.

 

Detail

 

  • If a security rule only allows application "traceroute" and service "application-default" and there is no other subsequent rule to permit tracepath traffic then its UDP packet will get dropped.

 

Security PolicyTraffic Log
security_policy_tracepath_default.pnglog_tracepath_default.png

Explanation: This is because tracepath uses UDP with random high port. If a service is set to "application-default", tracepath could get denied because in App-ID signature the standard port range for traceroute only includes icmp/any and udp/33434-33534.

 

#### **Key Consideration: UDP Blocking by Network Devices**
- Some next-hop network devices, including firewalls or routers, may **block UDP traceroute packets**, preventing the tool from functioning correctly.
- When traceroute encounters a blocked UDP port, users might see `* * *` timeouts or incomplete paths in the output.
- Since Windows uses ICMP by default (`tracert` command), Linux users may need to **manually switch to ICMP** if encountering blocks.

 

Solution

 

  • There are two possible solutions:

 

1)  Configure the security rule to allow application "traceroute" and service "any".  You will also need to allow application "icmp" and "ping" as well because these two are application dependency for traceroute.

 

Security PolicyTraffic Log
security_policy_tracepath_any.pnglog_tracepath_any.png

 

 

 

2) Instruct users to run tracepath with a specific "starting" destination port 33434. Note in the traffic log, the destination port increments from 33434 for each hop. Again, allowing application icmp & ping is still needed due to the traceroute application dependency.

 

Security PolicyTraffic Log
security_policy_tracepath_default.pnglog_tracepath_option.png

 

See also

Can a Policy be Configured to Allow Traceroute?



Additional Information


  • To bypass UDP restrictions in the network topology and send traceroute packets using **ICMP**, Linux users can use the `-I` switch:
traceroute -I <destination>
  • For example:
traceroute -I google.com
  • This forces Linux traceroute to use ICMP Echo Requests (similar to Windows' `tracert`).
  • Alternative Methods to Bypass UDP Restrictions:

 

- Use **TCP-based Traceroute** instead:

   traceroute -T <destination>

  * This sends packets over TCP, which may be allowed on restricted networks.


-  Adjust maximum TTL to limit hops:

   traceroute -m <max-hops> <destination>

 
- Modify timeout to control response delay:

   traceroute -w <seconds> <destination>

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqBCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language