https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996676#M5167 <P>Thank you for reply.</P><P>&nbsp;</P><P>So it means my reverse natting and server with public ip address in any zone would not be impact by packet based protection</P> Thu, 05 Dec 2024 09:11:15 GMT vishalrsshah 2024-12-05T09:11:15Z https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996559#M5162 <P>Hi All,</P><P>&nbsp;</P><P><SPAN>I'm planning to implement Zone protection on outside interfaces using&nbsp;</SPAN><SPAN>Strict IP Address Check" or only "Spoofed IP address" in the packet based attack protection of the zone protection profile. Does it drop legitimate traffic as per below points</SPAN></P><P>&nbsp;</P><P><SPAN>1) Configure static one to one Snat and vice versa for reverse natting</SPAN></P><P><SPAN>2)&nbsp;<SPAN>&nbsp;Does it impact if any one of my Server's (in Dmz) are in same public ip address range as my Outside interface</SPAN></SPAN></P> Wed, 04 Dec 2024 18:15:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996559#M5162 vishalrsshah 2024-12-04T18:15:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996560#M5163 <P>Hello,</P> <P>Please look bellow to see what checks are performed by the firewall when you activate&nbsp;"Spoofed IP address" and "Strict IP Address Check" in Zone Protection:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LnmCAE" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LnmCAE</A>&nbsp;</P> Wed, 04 Dec 2024 18:31:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996560#M5163 CosminM 2024-12-04T18:31:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996570#M5165 <P>Hi,</P><P>&nbsp;</P><P>That I already gone through. Need to know what will be the impact as per my query&nbsp;</P> Wed, 04 Dec 2024 18:53:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996570#M5165 vishalrsshah 2024-12-04T18:53:14Z https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996571#M5166 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/326138">@vishalrsshah</a> ,</P> <P>&nbsp;</P> <P>You want to know if configuring the NGFW to drop spoofed packets will impact production traffic.&nbsp; Not is you enable "Spoofed IP address" only.&nbsp; As the URL posted by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/197789">@CosminM</a> states, dropping spoofed packets relies on the routing table.&nbsp; If your routing is working fine, then IP spoof drops will work fine.&nbsp; The 2 examples that you mention route fine now.</P> <P>&nbsp;</P> <P>If you enable "Strict IP Address Check" then you may have production drops <U>if</U> you have asymmetric routing.</P> <P>&nbsp;</P> <P>I enable "Spoofed IP address" on all my NGFWs, and it works fine.&nbsp; I apply my Zone Protection Profile to all my interfaces.</P> <P>&nbsp;</P> <P>One thing that many people do not know is that these spoofed IP drops along with other packet-based drops are not logged by default.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkr7CAA" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkr7CAA</A></P> <P>&nbsp;</P> <P>Here is a good article on troubleshooting spoofed IP drops.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UuJCAU" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UuJCAU</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 04 Dec 2024 19:01:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996571#M5166 TomYoung 2024-12-04T19:01:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996676#M5167 <P>Thank you for reply.</P><P>&nbsp;</P><P>So it means my reverse natting and server with public ip address in any zone would not be impact by packet based protection</P> Thu, 05 Dec 2024 09:11:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996676#M5167 vishalrsshah 2024-12-05T09:11:15Z https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996716#M5171 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/326138">@vishalrsshah</a> ,</P> <P>&nbsp;</P> <P>I cannot comment on specific configuration that I do not know in detail.</P> <P>&nbsp;</P> <P>If the routing is working correctly now, then "Spoofed IP address" packet protection will not break it.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 05 Dec 2024 11:38:04 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/zone-protection-profile/m-p/996716#M5171 TomYoung 2024-12-05T11:38:04Z