4 Replies Latest reply: Mar 28, 2013 9:43 AM by russel RSS

    Trace Route


      Hello all, I am having trouble getting the firewall to respond to Trace Route. Could someone help me figure out how to get this to work?

        • 1. Re: Trace Route

          One of the McAfee guys on this forum may well correct me if I am wrong. But, going back 14 years to my first exposure to the Sidewinder Firewall product that eventually became McAfee Firewall Enterprise, it has never responded to traceroute requests - or never allowed these requests to pass through.


          You can traceroute from the Firewall command line, however.


          There is a setting in the Network --> Zone Configuration (or Burb Configuration if you are pre-v8) on each zone to "Respond to ICMP Echo and Timestamp", but I have always associated this with being able to ping the Firewall.



          • 2. Re: Trace Route

            PhilM, thank you so much for the help. I really appreciate it.

            • 3. Re: Trace Route



              Yes traceroute is just ICMP with a gradually increasing TTL.


              That's interesting that you can't traceroute by default. Unless I'm mistaken I think this is just not enabled out the box for security, but could be made to work with the right rules. I do remember something in the distant past (5.2) where the Sidewinder had a bug that caused issues if ICMP was used past a certain date (yes really!). Think this was an issue with the undelying BSDOS that was used. I don't think you can ping through the Sidewinder by default either, but again I think it might be possible again with the right rules.


              I alway ensure that ""Respond to ICMP Echo and Timestamp" is disabled on WAN interfaces as nobody needs to know you are there! I let internal users ping the LAN IP though.


              All the best,


              on 27/03/13 15:06:58 CDT
              • 4. Re: Trace Route

                Thanks for the information packetmonkey. You're right, you can't ping through the firewall by default. I took me a long time to realize that if you wanted the firewall to respond to a ping you had to click the "Respond to ICMP Echo and Timestamp" box in the connection options of the zone. I have written rules to allow ICMP through the firewall, which I can confirm works. It's not a huge problem if I can't get the firewall to respond ot traceroute, it just makes troubleshooting problems easier. Thanks again.