Make the Threat Defense Device Appear on Traceroutes

By default, the Threat Defense device does not appear on traceroutes as a hop. To make it appear, you need to decrement the time-to-live on packets that pass through the device, and increase the rate limit on ICMP unreachable messages. To accomplish this, you must configure a service policy rule and adjust the ICMP platform settings policy.

Note

If you decrement time to live, packets with a TTL of 1 will be dropped, but a connection will be opened for the session on the assumption that the connection might contain packets with a greater TTL. Note that some packets, such as OSPF hello packets, are sent with TTL = 1, so decrementing time to live can have unexpected consequences. Keep these considerations in mind when defining your traffic class.

Procedure

Step 1

Create the extended ACL that defines the traffic class for which to enable traceroute reporting.

For example, to define a traffic class for all addresses, but excluding OSPF traffic, do the following:

  1. Choose Objects > Object Management.

  2. Choose Access List > Extended from the table of contents.

  3. Click Add Extended Access List.

  4. Enter a Name for the object, for example, traceroute-enabled.

  5. Click Add to add a rule to exclude OSPF.

  6. Change the action to Block, click Port, select OSPFIGP (89) as the protocol beneath the Destination Ports list, and click Add to add the protocol to the selected list.

  7. Click Add on the Extended Access List Entry dialog box to add the OSPF rule to the ACL.

  8. Click Add to add a rule to include all other connections.

  9. Keep Allow for the action, and leave both the Source and Destination lists empty.

  10. Click Add on the Extended Access List Entry dialog box to add the rule to the ACL.

    Ensure that the OSPF deny rule is above the Allow Any rule. Drag and drop to move the rules if necessary.

  11. Click Save on the Extended Access List Object dialog box to save the ACL object.

Step 2

Configure the service policy rule that decrements the time-to-live value.

For example, to decrement time-to-live globally, do the following:

  1. Choose Policies > Access Control, and edit the policy assigned to the devices that require this service.

  2. Click Advanced Settings from the More drop-down arrow at the end of the packet flow line, and click Edit (edit icon) for the Threat Defense Service Policy.

  3. Click Add Rule.

  4. Select Apply Globally and click Next.

  5. Select the extended ACL object you created for this rule and click Next.

  6. Select Enable Decrement TTL.

  7. (Optional.) Adjust the other connection options as needed.

  8. Click Finish to add the rule. If necessary, drag and drop the rule to the desired position in the service policy.

  9. Click OK to save the changes to the service policy.

  10. Click Save on Advanced to save the changes to the access control policy.

    You can now deploy the changes to the affected devices.

Step 3

Increase the rate limit on ICMP unreachable messages.

  1. Choose Devices > Platform Settings.

  2. If you already have a policy assigned to the devices, edit it. Otherwise, create a new Threat Defense platform settings policy and assign it to the affected devices.

  3. Select ICMP from the table of contents.

  4. Increase the Rate Limit, for example, to 50. You might also want to increase the Burst Size, for example, to 10, to ensure enough responses are generated within the rate limit.

    You can leave the ICMP rules table empty, it is not related to this task.

  5. Click Save.

Step 4

You can now deploy the changes to the affected devices.