Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkhabbazi
Staff
Staff

Created on ‎08-24-2023 09:11 AM Edited on ‎06-06-2025 12:48 AM By Moderator

Article Id 270250

Technical Tip: Explaining traceroutes

Description

This article describes use of the traceroute command in FortiGate.
Scope FortiOS.
Solution

Any packets forwarded to the internet will pass through different routers. For each packet, one path to reach the destination will be selected. The FortiOS 'traceroute' command can provide some information about the likely path.

 

Examples:

 

In the traceroute output, the IP address of each hop and the response time are visible if a response was received.

 

execute traceroute 1.1.1.1

traceroute to 1.1.1.1 (1.1.1.1), 32 hops max, 3 probe packets per hop, 72 byte packets

 1  10.31.12.1  2.678 ms  2.544 ms  1.979 ms

 2  154.11.15.107  2.331 ms  3.235 ms  2.971 ms

 3  154.11.15.73 <qubcpqajdr02.bb.telus.com>  4.216 ms  19.313 ms  23.510 ms

 4  1.1.1.1 <one.one.one.one>  3.252 ms  2.992 ms  2.945 ms

 

Each '*' in the traceroute output represents one ICMP probe that received no response.

 

If there are three stars, then all three ICMP probes that were sent out had received no responses.

 

If the same output ('***') appears each time traceroute is run, the hop is not responding with ICMP messages. This may be expected or may be the result of a temporary overload, and does not by itself indicate an issue, particularly if routers later in the sequence do respond.

 

execute traceroute harvard.edu

traceroute to harvard.edu (151.101.194.133), 32 hops max, 3 probe packets per hop, 72 byte packets

 1  10.31.12.1  2.966 ms  2.809 ms  2.979 ms

 2  154.11.6.192  15.983 ms  19.186 ms  14.981 ms

 3  * * *

 4  151.101.194.133 <harvard.edu>  16.532 ms  16.722 ms  14.887 ms

 
In the third traceroute, responses are received until step 2, but nothing is received afterwards. This may indicate a routing issue at 154.11.15.111 or one later in the path. It may also indicate a large sequence of routers that are configured not to respond with ICMP messages.

execute traceroute 2.2.2.2

traceroute to 2.2.2.2 (2.2.2.2), 32 hops max, 3 probe packets per hop, 72 byte packets

 1  10.31.12.1  2.863 ms  2.883 ms  2.988 ms

 2  154.11.15.111  7.361 ms  14.821 ms  10.321 ms

 3  * * *

 4  * * *

 5  * * *

 6  * * *


If a traceroute returns '!H', this indicates that the router returned an ICMP 'destination unreachable' message. Typically, this occurs when the remote router has no valid route to forward the traffic further.

execute traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.10.10.1 63.376 ms !H 1089.821 ms !H 2999.721 ms !H

 

If IPv6 is enabled in the FortiGate's feature visibility settings and an IPv6 address is configured on an interface, it is possible to traceroute IPv6 destination addresses using the command below:

 

   execute tracert6 ?
      arg     please input args

 

   execute tracert6 2001:db8:a0b:13e0::6
   tracert6 to 2001:db8:a0b:13e0::6 (2001:db8:a0b:13e0::6), 30 hops max, 40/8 byte payload/paddata
    1 * * *
    2 * * *

 

Related article:

Troubleshooting Tip: Using traceroute options from FortiGate CLI 
2418
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.