How does the USG firewall use the tracert command?


USG2000 & 5000 & 6000 Use the tracert command as follows:
Run the tracert command on the client to detect where the network has failed.

The following is an example of applying tracert to analyze the network.

Traceroute to (, 30 hops max, 56 byte packet
1 19 ms 19 ms 0 ms
2 39 ms 39 ms 19 ms
3 39 ms 40 ms 39 ms
4 39 ms 39 ms 39 ms
5 40 ms 59 ms 59 ms
6 59 ms 59 ms 59 ms
7 99 ms 99 ms 80 ms
8 139 ms 239 ms 319 ms
9 220 ms 199 ms 199 ms
10 239 ms 239 ms 239 ms
From the above results can be seen from the source to reach the destination through the gateway IP address. If the middle of a gateway timeout, it will return "***" information, according to this information to locate the location of the failure.

Other related questions:
Can the USG firewall be traversed by the tracert command?
1. Tracert firewall itself Need to release the ICMP or UDP packet filtering to the local area of the firewall. If Tracert uses ICMP packets, you need to run the ip unreachables enable command to enable sending of ICU destination unreachable packets. 2. Tracert is forwarded through the firewall A. Release the ICMP or UDP packet filtering through the firewall. B. Configure the ICMP timeout packet function (command: ip ttl-expires enable). C. Disable the Tracert packet attack defense function (command: undo firewall defend tracert enable). Description: The UDP port used by the Tracert protocol is: first hop 33434, second hop 33435, third jump 33436 ... and so on (the algorithm is 33434 + N-1 where N is the hop count).

Use the USG firewall ping command.
The USG2000 & 5000 & 6000 ping command is interpreted and used as follows: The ping (Packet Internet Groper) command is the most common debugging tool for detecting network device accessibility. It uses the echo information of ICMP (ICMP6 for IPv6) to determine: 1. Whether the remote device is available. 2. The round-trip delay of communication with the remote host. Packet (packet) of the loss of the situation. The ping command is mainly used to check whether the network connection and the host are reachable. E.g: Check whether the host with IP address is reachable. E.g: ping Ping 56 data bytes, press CTRL_C to break Reply from bytes = 56 sequence = 1 ttl = 255 time = 1ms Reply from bytes = 56 sequence = 2 ttl = 255 time = 2ms Reply from bytes = 56 sequence = 3 ttl = 255 time = 1ms Reply from bytes = 56 sequence = 4 ttl = 255 time = 3ms Reply from bytes = 56 sequence = 5 ttl = 255 time = 2ms - ping statistics-- 5 passengers transmitted 5 packets received 0% packet loss Round-trip min / avg / max = 1/2/3 ms

What if the firewall's IP address is not displayed when using tracert
You can run the ip ttl-expires enable command. After receiving the ICMP packet with the TTL being 0 from the Windows host, the firewall replies with a timeout packet. Then, the IP address of the firewall will be displayed on the Windows host.

Reason why the firewall does not display the IP address in the tracert output
By CLI command, from the system view, execute: icmp ttl-exceeded send - By default, an interface is disabled to send ICMP Time Exceeded message; icmp host-unreachable send - this command enables transmitting the ICMP host-unreachable packets; undo firewall defend tracert enable - if (firewall defend tracert enable) command is configured, a FW discards ICMP timeout packets, UDP timeout packets, or destination port unreachable packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top