Allowing Traceroute to and through cOS Core

Last modified on 23 Aug, 2022. Revision 7
Allowing Traceroute to and through cOS Core
Up to date for
Supported since
Status OK

I want to let Traceroute through my Clavister Firewall, but it seems to be blocked per default. How can I let it through?
I got the traceroute traffic through, and adjusted the TTL, but I still don't get a reply from the Clavister (first few hops). How to fix that?


In order to let traceroute through the Firewall you need to change/enable two settings:

1. Under System->Advanced settings->IP Settings. Change the value for "TTL Min" from 3 to 1.
2. On the Service of your outgoing rule that allows ICMP, enable the "Forward ICMP errors" option.
2.1. Note: In older versions (10.x or older) this option was called "Pass returned ICMP error messages from destination"

Example of solution:

Add two IP Policies, the first policy to permit the Clavister itself to respond to the traceroute packets and the second to allow the traffic and permit the ICMP messages back to the machine performing the traceroute. These rules assumes that the IP of the Clavister Firewall is core routed (assigned to an interface or if it is an additional IP address on the interface that it is added by using a Core Route with Proxy ARP on the interface where it is added) see the following KB article ( or the admin guide for a description on how to do this.

The ping-outbound service already has the "Forward ICMP errors" feature enabled and the setting (1) in the Answer section above has been implemented.
1. Allow_Core_Ping LAN Lan_Net Core All-Nets ping-outbound
2. Allow_Traceroute LAN Lan_Net Wan All-Nets ping-outbound

Related articles

No related articles found.