SRX

Hello.

Does anyone know if there's a way to force the SRX firewalls to use ICMP based traceroute, rather than the default UDP based traceroute?

I couldn't find any mention of this in the documentation or KB.

Thank you.

Sam

1. Example for permitting ICMP traceroute:
   (Either of the following predefined applications may be used.)
   

   application junos-icmp-all {
       term t1 protocol icmp;
   }
   
   application junos-ping {
       term t1 protocol 1;
   }

     Note: This will permit all ICMP packet types.

We can also combine both the ICMP and UDP together into a single application set if required. An example of it is as follows:

[edit]
root# show applications
application trace-icmp {
    term 1 protocol icmp;
}
application trace-udp {
    term 2 protocol udp destination-port 33434-33534;
}
application-set trace-udp-icmp {
    application trace-icmp;
    application trace-udp;
}

Please refer to the below mentioned KB

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21343

Hi.  Thanks for the reply, but doesn't really answer my question.

traceroute sourced from the firewall uses UDP.  I want to be able to use ICMP for traceroutes sourced from the firewall.

Is it possible?

Thanks,

Sam

Thanks but there is no option for "-I" or "-P icmp"

from srx3400 shell...

% traceroute -help
Version 1.4a12+FreeBSD
Usage: traceroute [-ASdfnrv] [-w wait] [-i initial_ttl] [-m max_ttl]
         [-p port#] [-q nqueries] [-t tos] [-s src_addr] [-g gateway]
         [-J 4|6|r|I interface_name|U routing_instance|Llogical_router|P]
         host [data_size]
%

I'm gonna chaulk this one up as 'not supported'.

Thanks,

Sam