cancel
Showing results for 
Search instead for 
Did you mean: 
russel
Level 7
Report Inappropriate Content
Message 1 of 5

Trace Route

Hello all, I am having trouble getting the firewall to respond to Trace Route. Could someone help me figure out how to get this to work?

4 Replies
Highlighted
PhilM
Level 14
Report Inappropriate Content
Message 2 of 5

Re: Trace Route

One of the McAfee guys on this forum may well correct me if I am wrong. But, going back 14 years to my first exposure to the Sidewinder Firewall product that eventually became McAfee Firewall Enterprise, it has never responded to traceroute requests - or never allowed these requests to pass through.

You can traceroute from the Firewall command line, however.

There is a setting in the Network --> Zone Configuration (or Burb Configuration if you are pre-v8) on each zone to "Respond to ICMP Echo and Timestamp", but I have always associated this with being able to ping the Firewall.

-Phil.

russel
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Trace Route

PhilM, thank you so much for the help. I really appreciate it.

Re: Trace Route

Hello,

Yes traceroute is just ICMP with a gradually increasing TTL.

That's interesting that you can't traceroute by default. Unless I'm mistaken I think this is just not enabled out the box for security, but could be made to work with the right rules. I do remember something in the distant past (5.2) where the Sidewinder had a bug that caused issues if ICMP was used past a certain date (yes really!). Think this was an issue with the undelying BSDOS that was used. I don't think you can ping through the Sidewinder by default either, but again I think it might be possible again with the right rules.

I alway ensure that ""Respond to ICMP Echo and Timestamp" is disabled on WAN interfaces as nobody needs to know you are there! I let internal users ping the LAN IP though.

All the best,

on 27/03/13 15:06:58 CDT
russel
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Trace Route

Thanks for the information packetmonkey. You're right, you can't ping through the firewall by default. I took me a long time to realize that if you wanted the firewall to respond to a ping you had to click the "Respond to ICMP Echo and Timestamp" box in the connection options of the zone. I have written rules to allow ICMP through the firewall, which I can confirm works. It's not a huge problem if I can't get the firewall to respond ot traceroute, it just makes troubleshooting problems easier. Thanks again.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community