Technical Note: TCP traceroute behavior in Proxy mode

jgillies01 · ‎09-13-2019

Description
While performing a tcp traceroute on a traffic inspected by profile in proxy mode you might get unexpected results.
The following command will perform the traceroute with TCP protocol on port 80.

user@kvm03:~$ sudo traceroute -q 1 -T -p 80 www.fortinet.com
traceroute to www.fortinet.com (13.56.33.144), 30 hops max, 60 byte packets
1 10.10.10.10 (10.10.10.10) 0.199 ms
2 ec2-13-56-33-144.us-west-1.compute.amazonaws.com (13.56.33.144) 0.174 ms
user@kvm03:~$

Actual path without proxy inspection:

user@kvm03:~$ sudo traceroute -q 1 -T -p 80 www.fortinet.com
traceroute to 13.56.33.144 (13.56.33.144), 30 hops max, 60 byte packets
1 10.10.10.10 (10.10.10.10) 0.840 ms
2 x.x.x.x (x.x.x.x) 0.773 ms
3 x.x.x.x (x.x.x.x) 1.393 ms
4 x.x.x.x (x.x.x.x) 2.723 ms
5 x.x.x.x (x.x.x.x) 9.799 ms
6 x.x.x.x (x.x.x.x) 12.712 ms
7 ffm-bb3-link.telia.net (80.91.254.102) 165.381 ms
8 prs-bb3-link.telia.net (62.115.123.13) 165.013 ms
9 ldn-bb4-link.telia.net (62.115.114.228) 166.391 ms
10 nyk-bb3-link.telia.net (62.115.112.244) 93.870 ms
11 sjo-b21-link.telia.net (213.155.130.129) 163.137 ms
12 a100row-ic-300117-sjo-b21.c.telia.net (213.248.87.118) 179.177 ms
13 54.240.242.28 (54.240.242.28) 167.594 ms
14 54.240.242.127 (54.240.242.127) 169.147 ms
15 205.251.229.158 (205.251.229.158) 163.044 ms
16 *
17 *
18 *
19 *
20 *
21 ec2-13-56-33-144.us-west-1.compute.amazonaws.com (13.56.33.144) 168.771 suser@kvm03:~$

This applies to following inspections configured in proxy mode: Web filter, Antivirus, Data Leak Prevention, Anti-Spam, VoIP, Web Application Firewall

Notes:
- IP addresses are intentionally obfuscated.
- The 10.10.10.10 is the internal IP of the FortiGate.

Solution
This is expected behavior. List of possible workarounds:

1) Use flow based mode
2) Use other port, that is not used in any proxy inspection profile
3) Use other protocol, that is not being proxied, e.g. UDP or ICMP