SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Hiding SRX IP in traceroute

    Posted 03-04-2014 22:47

    Hello Experts

     

    I dont want that SRX IP will be shown, while tracing from PC. What comand I need to enable this. In screen OS, I know the below command works "set flow icmp time-exceeded"



  • 2.  RE: Hiding SRX IP in traceroute

    Posted 03-08-2014 02:00

    at a guess

     

    delete security zones security-zone trust host-inbound-traffic system-services ping

    delete security zones security-zone trust host-inbound-traffic system-services traceroute

    delete security zones security-zone untrust host-inbound-traffic system-services ping

    delete security zones security-zone untrust host-inbound-traffic system-services traceroute



  • 3.  RE: Hiding SRX IP in traceroute

     
    Posted 03-08-2014 12:56

    Hello 

     

    You just need to disable tranceroute service from the interface facing your PC (where the gateway is configured), you can configure it on interface level or zone level . 

     

    delete security zones security-zone TRUST interface ge-0/0/0.0 host-inbound-traffic system-services traceroute

     

    Regards 



  • 4.  RE: Hiding SRX IP in traceroute

    Posted 03-08-2014 20:19

    I only have SSH and PING enabled on interface. Any idea?



  • 5.  RE: Hiding SRX IP in traceroute

    Posted 03-08-2014 22:39
    Disable ping

    What client are you using to trace?


  • 6.  RE: Hiding SRX IP in traceroute
    Best Answer

     
    Posted 03-08-2014 22:58

    Hello 

    if you are using Windows machine , it will use icmp with TTL=1 to trace the first hope , and increase TTL for every next hop (see below diagram) , so if you disable the ping under the zone host-inboud-traffc system-services , this will block both traceroute and ping on your SRX .

    SENDER=====Router=====Router=====Router=====TARGET
            TTL=1      TTL=2       TTL=3      TTL=4 

     

    if you'd like to keep ping enabled and block traceroute only , you need to define a firewall filter , to block "ICMP-TIME-EXCEEDED" reply from your SRX to the client , so in this case , you filter will be applied as "output" on the local interface , please find below a config template , I user 192.168.1.1 as your SRX local address facing the clients.

     

    set firewall family inet filter block-traceroute term t1 from source-address 192.168.1.1/32
    set firewall family inet filter block-traceroute term t1 from protocol icmp
    set firewall family inet filter block-traceroute term t1 from icmp-type time-exceeded
    set firewall family inet filter block-traceroute term t1 then discard
    set firewall family inet filter block-traceroute term accept-else then accept

     

    set interfaces ge-0/0/1.0 family inet filter output block-traceroute    

     

     

    Regards



  • 7.  RE: Hiding SRX IP in traceroute

    Posted 03-09-2014 23:07

    Thanks. In zone security host-inbound-services, can we disable icmp-time-exceeded?



  • 8.  RE: Hiding SRX IP in traceroute

     
    Posted 03-10-2014 21:58
    Under security zone host-inbound u can disable ping globally