Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] junos-traceroute application deprecated from junos-defaults groups

0

0

Article ID: KB21343 KB Last Updated: 25 Jul 2019Version: 5.0
Summary:

This article talks about the junos-traceroute application, which was initially available under the group junos-defaults.

 

Symptoms:

The Junos OS software provides a default, hidden configuration group called junos-defaults that is automatically applied to the configuration of a platform. The junos-defaults group contains preconfigured statements that contain predefined values for common applications.

The Junos OS software used to provide an application for traceroute as follows:

Traceroute application:

application junos-traceroute {
    application-protocol traceroute;
    protocol udp;
    destination-port 33435-33450;
    ttl-threshold 30;
}

The traceroute application stops at the device supporting the firewall (packets with ttl > 1 will be discarded).

application junos-traceroute-ttl-1 {
    application-protocol traceroute;
    protocol udp;
    destination-port 33435-33450;
    ttl-threshold 1;
}

These were also documented at the following location:

 

Solution:

The above application was supported in J Series packet-based devices only (Junos OS 9.3 is the last release).

Now, instead of the above mentioned application, a specific application will have to be configured to explicitly permit traceroute packets on SRX devices that run Junos OS 9.6 and later releases.

Note that specifying an application with the above mentioned application-protocol or ttl-threshold gives the following error:

application traceroute {
    ##
    ## Warning: statement ignored: unsupported platform (srx210h-poe)
    ##
    application-protocol traceroute;
    ##
    ## Warning: statement ignored: unsupported platform (srx210h-poe)
    ##
    ttl-threshold 30;
}

First, we need to understand the type of traceroute being used. More information about the different types of traceroutes can be found in the following article:

Traceroute

 

In most cases, we are dealing with either UDP traceroute or ICMP traceroute and the following two examples illustrate how to configure an application set to specifically permit the traceroute packets.

  1. Example for permitting UDP traceroute for Unix or Linux based operating systems:

[edit]
root@SRX210# show applications

application trace {
    protocol udp;
    destination-port 33434-33534;
}

Note: The above application will allow all UDP traffic on ports 33434 to 33534. The previous version of junos-traceroute would also have permitted all UDP traffic matching the destination-port statement.

  1. Example for permitting ICMP traceroute:

(Either of the following predefined applications may be used.)

application junos-icmp-all {
    term t1 protocol icmp;
}

application junos-ping {
    term t1 protocol 1;
}

Note: This will permit all ICMP packet types.

We can also combine ICMP and UDP together into a single application set if required. An example of it is as follows:

[edit]
root# show applications
application trace-icmp {
    term 1 protocol icmp;
}
application trace-udp {
    term 2 protocol udp destination-port 33434-33534;
}
application-set trace-udp-icmp {
    application trace-icmp;
    application trace-udp;
}

 

Modification History:

2019-07-25: Article reviewed for accuracy; configuration with application set added; minor formatting changes made. Solution is still valid.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search