This article talks about the junos-traceroute application, which was initially available under the group junos-defaults.
The Junos OS software provides a default, hidden configuration group called junos-defaults that is automatically applied to the configuration of a platform. The junos-defaults group contains preconfigured statements that contain predefined values for common applications.
The Junos OS software used to provide an application for traceroute as follows:
Traceroute application:
application junos-traceroute {
application-protocol traceroute;
protocol udp;
destination-port 33435-33450;
ttl-threshold 30;
}
The traceroute application stops at the device supporting the firewall (packets with ttl > 1 will be discarded).
application junos-traceroute-ttl-1 {
application-protocol traceroute;
protocol udp;
destination-port 33435-33450;
ttl-threshold 1;
}
These were also documented at the following location:
The above application was supported in J Series packet-based devices only (Junos OS 9.3 is the last release).
Now, instead of the above mentioned application, a specific application will have to be configured to explicitly permit traceroute packets on SRX devices that run Junos OS 9.6 and later releases.
Note that specifying an application with the above mentioned application-protocol or ttl-threshold gives the following error:
application traceroute {
##
## Warning: statement ignored: unsupported platform (srx210h-poe)
##
application-protocol traceroute;
##
## Warning: statement ignored: unsupported platform (srx210h-poe)
##
ttl-threshold 30;
}
First, we need to understand the type of traceroute being used. More information about the different types of traceroutes can be found in the following article:
Traceroute
In most cases, we are dealing with either UDP traceroute or ICMP traceroute and the following two examples illustrate how to configure an application set to specifically permit the traceroute packets.
-
Example for permitting UDP traceroute for Unix or Linux based operating systems:
[edit]
root@SRX210# show applications
application trace {
protocol udp;
destination-port 33434-33534;
}
Note: The above application will allow all UDP traffic on ports 33434 to 33534. The previous version of junos-traceroute would also have permitted all UDP traffic matching the destination-port statement.
-
Example for permitting ICMP traceroute:
(Either of the following predefined applications may be used.)
application junos-icmp-all {
term t1 protocol icmp;
}
application junos-ping {
term t1 protocol 1;
}
Note: This will permit all ICMP packet types.
We can also combine ICMP and UDP together into a single application set if required. An example of it is as follows:
[edit]
root# show applications
application trace-icmp {
term 1 protocol icmp;
}
application trace-udp {
term 2 protocol udp destination-port 33434-33534;
}
application-set trace-udp-icmp {
application trace-icmp;
application trace-udp;
}
2019-07-25: Article reviewed for accuracy; configuration with application set added; minor formatting changes made. Solution is still valid.