This first is the expected results of a normal traceroute. The second is the results WITH the box checked.
The PaloAlto is the second hop. Notice the one to Google DNS does answer. It is a valid packet with no error in the response.
Friday, March 11, 2016
PaloAlto: Zone Protection Profile and Traceroute
If you encounter some strange behavior with traceroute after you start implementing Zone Protection Profiles, please make sure to UNCHECK the "Discard ICMP embedded with error message" box as marked below. Remember, your trace packets are being sent with a TTL that is incrementing by 1. The router that decrements it to 0 responds with an error.
This first is the expected results of a normal traceroute. The second is the results WITH the box checked.
The PaloAlto is the second hop. Notice the one to Google DNS does answer. It is a valid packet with no error in the response.
This first is the expected results of a normal traceroute. The second is the results WITH the box checked.
The PaloAlto is the second hop. Notice the one to Google DNS does answer. It is a valid packet with no error in the response.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment