Inside the FortiGate Traceroute: A Comprehensive Guide for Network Engineers
.
In the complex ecosystem of enterprise network security, the ability to verify the exact path traffic takes is not just a convenience—it is a critical operational necessity. For administrators managing Fortinet’s FortiGate firewalls, the traceroute command remains one of the most potent weapons in the troubleshooting arsenal. Unlike a standard ping, which merely confirms or denies connectivity, traceroute reveals the skeleton of the network, hop by hop.
This article provides a definitive look at how to execute, customize, and troubleshoot traceroute operations on FortiGate platforms.
The Fundamentals: Executing a Standard Traceroute
At its most basic level, initiating a traceroute from a FortiGate is executed entirely within the Command Line Interface (CLI). As confirmed by the official Fortinet Cookbook, the syntax is remarkably straightforward.
The Core Command:
execute traceroute <destination> The destination can be either an IP address or a fully qualified domain name (FQDN).
Example Output:
execute traceroute www.fortinet.com traceroute to www.fortinet.com (66.171.121.34), 32 hops max, 84 byte packets 1 172.20.120.2 0.637 ms 0.653 ms 0.279 ms 2 209.87.254.221 2.448 ms 2.519 ms 2.458 ms ... When an FQDN is used, the FortiGate performs a DNS lookup immediately. If the resolution fails, the traceroute aborts, providing an instant diagnostic indicator of DNS health.
Advanced Configuration: The execute traceroute-options Command
Standard traceroute commands utilize default settings (typically three probes per hop, auto-selected outgoing interface, and default source IP). However, FortiOS offers a powerful pre-configuration tool that is often overlooked by junior administrators: execute traceroute-options.
According to technical deep-dives from travelingpacket.com and validated against Fortinet CLI structures, this options menu allows engineers to manipulate the behavior of the trace before execution.
Accessing the Options Menu:
execute traceroute-options Key Configurable Parameters:
| Parameter | Function | Typical Use Case |
|---|---|---|
device | Bind the trace to a specific outgoing interface (e.g., port1, ssl.root) | Forcing traffic over a specific VPN tunnel or WAN link |
source | Set a specific source IP address | Simulating traffic from a particular subnet behind the firewall |
queries | Define the number of probe packets per hop | Increasing accuracy (default is 3) |
view-settings | Display current configurations | Verification prior to execution |
Workflow Example:
Fortigate-Firewall# execute traceroute-options source 192.168.1.1 Fortigate-Firewall# execute traceroute-options device port2 Fortigate-Firewall# execute traceroute-options view-settings Critical Note: These settings are persistent. After completing a diagnostic trace, it is best practice to reset these parameters to "Auto" to prevent misdirection of future troubleshooting.
Platform Differentiation: FortiGate vs. FortiADC
Engineers managing hybrid Fortinet environments must note a distinct syntax variation. While FortiGate utilizes the execute traceroute command, the FortiADC platform uses a similar but distinct structure.
FortiADC Syntax:
execute traceroute {<hostname> | <ipaddress>} The underlying mechanism remains ICMP-based, but the output formatting and hop limit defaults differ slightly.
The Security Paradox: Why Traceroute Fails (And How to Fix It)
One of the most prevalent issues discussed in the Fortinet Community forums involves scenarios where "ping works, but traceroute does not." This is not a bug; it is a feature of strict stateful inspection.
The Root Cause
Standard Linux/Unix traceroute utilizes UDP datagrams with high destination ports (starting at 33434). Conversely, Windows tracert utilizes ICMP echo requests. FortiGate security policies are often configured to permit ICMP (ping) but deny the high-port UDP traffic required for traditional traceroute.
The Solution
To allow full traceroute functionality through the firewall (as opposed to from the firewall itself), administrators must explicitly define the appropriate service.
Policy Configuration:
- Navigate to Policy & Objects > IPv4 Policy.
- Create or edit a policy between the relevant interfaces.
- In the Service field, add TRACEROUTE (UDP 33434-33534).
- Alternatively, for Windows compatibility, ensure ICMP is also permitted.
Source: Fortinet Community Thread (Enable traceroute between interfaces)
Diagnostic Tip: If traceroute returns nothing but asterisks (* * *), enable logging on the implicit deny policy or run a packet sniffer directly on the FortiGate:
diagnose sniffer packet any 'host <SOURCE_IP> and host <DEST_IP>' 4 This reveals whether the packets are arriving at the FortiGate and, crucially, whether they are being forwarded or dropped.
Comparing Native Traceroute: Windows, Linux, and FortiGate
Understanding the differences in native execution is vital for holistic network troubleshooting.
| Platform | Command | Default Protocol | Hop Limit | Notes |
|---|---|---|---|---|
| FortiGate | execute traceroute | UDP | 32 | Uses standard Linux-style method. |
| Windows | tracert | ICMP | 30 | Often works where UDP traces fail. |
| Linux | traceroute | UDP | 30 | Use traceroute -I for ICMP. |
If a UDP-based traceroute from a FortiGate is being blocked by an intermediate router, performing the trace from a Windows PC (using ICMP) may successfully map the path.
Best Practices and Operational Security
While traceroute is a diagnostic tool, it is also a reconnaissance tool. Fortinet documentation explicitly advises keeping unnecessary ports disabled when not in use.
The "Just-in-Time" Approach:
- Do not permanently enable the TRACEROUTE service in policies.
- Enable the service temporarily during outage windows.
- Disable or remove the service immediately upon resolution of the incident.
This minimizes the attack surface while maintaining operational agility.
Frequently Asked Questions (FAQ)
What is the difference between exec ping and exec traceroute on a FortiGate?
Ping measures latency and packet loss between two points. Traceroute measures the path and latency to each individual router hop along the route to the destination. Ping uses ICMP exclusively; FortiGate traceroute uses UDP by default.
My traceroute shows the first hop (my gateway) but then all subsequent hops time out. Why?
This usually indicates that an intermediate router is configured to drop UDP packets with high TTL expiration, or it is prioritizing ICMP generation too low to reply. It can also indicate a routing loop or a silent drop on the return path. Try the trace from a Windows machine using ICMP (tracert) as a comparison.
Can I change the TTL or port used by the FortiGate traceroute?
The standard execute traceroute command does not allow for immediate flag changes (e.g., -p 80). However, you can manipulate the behavior indirectly by using execute traceroute-options to set the source and interface. For specific port manipulation, you would typically use a different tool like execute ssh or generate traffic via a policy.
Do I need a specific license to run traceroute?
No. The execute commands are part of the base FortiOS firmware and do not require FortiGuard or Security Fabric licenses.
Why does the FortiADC traceroute look different than my FortiGate?
FortiADC is a separate application delivery operating system. While both use the execute traceroute verb, the output formatting and maximum hop defaults (30 for ADC vs 32 for FortiGate) are hardcoded differently for their specific hardware purposes.
Summary
The FortiGate traceroute engine is a robust, highly configurable diagnostic utility. Successfully utilizing it requires more than typing execute traceroute. It requires an understanding of the traceroute-options menu, the security policies governing UDP/33434-33534, and the fundamental protocol differences between the source (FortiGate) and the targets it attempts to reach.
By mastering these commands and their underlying mechanics, network security engineers can significantly reduce the mean time to resolution (MTTR) for complex routing and black-hole scenarios.