One of the McAfee guys on this forum may well correct me if I am wrong. But, going back 14 years to my first exposure to the Sidewinder Firewall product that eventually became McAfee Firewall Enterprise, it has never responded to traceroute requests - or never allowed these requests to pass through.
You can traceroute from the Firewall command line, however.
There is a setting in the Network --> Zone Configuration (or Burb Configuration if you are pre-v8) on each zone to "Respond to ICMP Echo and Timestamp", but I have always associated this with being able to ping the Firewall.
Yes traceroute is just ICMP with a gradually increasing TTL.
That's interesting that you can't traceroute by default. Unless I'm mistaken I think this is just not enabled out the box for security, but could be made to work with the right rules. I do remember something in the distant past (5.2) where the Sidewinder had a bug that caused issues if ICMP was used past a certain date (yes really!). Think this was an issue with the undelying BSDOS that was used. I don't think you can ping through the Sidewinder by default either, but again I think it might be possible again with the right rules.
I alway ensure that ""Respond to ICMP Echo and Timestamp" is disabled on WAN interfaces as nobody needs to know you are there! I let internal users ping the LAN IP though.
All the best,on 27/03/13 15:06:58 CDT
Thanks for the information packetmonkey. You're right, you can't ping through the firewall by default. I took me a long time to realize that if you wanted the firewall to respond to a ping you had to click the "Respond to ICMP Echo and Timestamp" box in the connection options of the zone. I have written rules to allow ICMP through the firewall, which I can confirm works. It's not a huge problem if I can't get the firewall to respond ot traceroute, it just makes troubleshooting problems easier. Thanks again.