Skip to content

The Palo Alto Networks security platform must block traceroutes and ICMP probes originating from untrusted networks (e.g., ISP and other non-DoD networks).

An XCCDF Rule

Description

<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give configuration details about the network element. The traceroute utility will display routes and trip times on an IP network. An attacker can use traceroute responses to create a map of the subnets and hosts behind the boundary. The traditional traceroute relies on TTL - time exceeded responses from network elements along the path and an ICMP port-unreachable message from the target host. In some Operating Systems such as UNIX, trace route will use UDP port 33400 and increment ports on each response. Since blocking these UDP ports alone will not block trace route capabilities along with blocking potentially legitimate traffic on a network, it's unnecessary to block them explicitly. Because traceroutes typically rely on ICMP Type 11 - Time exceeded message, the time exceeded message will be the target for implicitly or explicitly blocking outbound from the trusted network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-228875r557387_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Although the default inter-zone Security Policy will deny this traffic, a specific Security Policy should be used.

To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.