topic Re: Strict IP Address Check after 9.1.12 in General Topics

Strict IP Address Check after 9.1.12

nikoo — Mon, 24 Jan 2022 08:04:28 GMT

Customer upgraded to 9.1.12 and after that it was noticed that for some of the zones, traffic was dropped. During debug,it was concluded that reason is Strict IP Address Check in the Zone Protection Profile:

"flow_dos_pf_strictip 1 0 drop flow dos Packets dropped: Zone protection option 'strict-ip-check'"

In the 9.1.12 release notes it is noted:

PAN-175934

Fixed an issue where packed-based zone protection settings (such as Strict IP Address Check) were not applied to return traffic.

So one may think it is a bug that was fixed and customer has his routing table messed up, but after checking - routing seems to be fine. Traffic was dropped even from outside interface (with default route) to GlobalProtect interface which is loopback on the device. Same for Outside <-> DMZ traffic, which is directly connected interface, so essentially no dynamic/static routing is done there.

Behavior can be confirmed and reproduced by turning on and off strict IP check in the zone protection profile.

Can anyone confirm this? Checking before opening TAC case.

Edit a bit later: PBR is not configured.

Re: Strict IP Address Check after 9.1.12

Ben-Price — Thu, 27 Jan 2022 01:18:33 GMT

Hi @nikoo,

I have just run into the same issue when going along the upgrade path to 10.1.3, when we hit 9.1.12, GP VPN and IPsec VPN both broke. Turned off 'strict-IP-check' on the internet zone protection profile and both VPNs are working again. Haven't re-tested on 10.1.3 as yet.

Only thing I noticed was our local VPN IP address is on a loopback address in the internet zone, the below KB article seems to suggest that 'strict-IP-check' can cause an issue with loopback addresses, in saying that not sure why it only just became a problem with 9.1.12.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U3FCAU

Did you end up raising this with PA support? or find a solution here?

Re: Strict IP Address Check after 9.1.12

nikoo — Thu, 27 Jan 2022 07:55:14 GMT

Hi @Ben-Price,

I noted that article as well, but my understanding loopback address was mean to be 127.0.0.1 given the context along with broadcast, network, etc. addresses. Not sure if my guess was correct, though.

Currently I have not opened a case, would still like to check the effect on traffic passing via the firewall - as that was seen in the customer case as well, so it did not seem to be related to Palo Alto assigned IPs only. Was hoping that someone from PA may confirm this behavior as that would mean less guessing and poking around.

As for now left the workaround - strict IP check disabled.

Re: Strict IP Address Check after 9.1.12

Ben-Price — Thu, 27 Jan 2022 22:22:57 GMT

@nikoo OK thanks for the feedback, I think you might be right regarding the meaning of loopback address outlined.

@BPry Are you able to comment here on the above issue me and @nikoo have experienced?

Re: Strict IP Address Check after 9.1.12

JesseCurtis2020 — Wed, 02 Feb 2022 20:06:26 GMT

Experiencing similar behavior. Suddenly traffic across a WPN was being dropped and did not even have a ZPP on it. Running 9.1.12.

Followed this KB to find it which was helpful. Unchecked strict IP check and returned to normal.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

Re: Strict IP Address Check after 9.1.12

Ben-Price — Wed, 02 Feb 2022 22:06:04 GMT

@nikoo @JesseCurtis2020 My client has updated there firewall to PAN OS 10.1.3. I have asked them to re-enabled the strict IP check and see if the issue remains on that version.

Re: Strict IP Address Check after 9.1.12

nikoo — Thu, 03 Feb 2022 06:31:55 GMT

@JesseCurtis2020, ZPP most likely was assigned to public interface, as I had similar behavior with VPN traffic being dropped and sounds like the same issue, yeah.

@Ben-Price, that can be good to know for future reference. In my case though customer is running PA-3xxx series, so no possibility to go above 9.1.

Re: Strict IP Address Check after 9.1.12

JesseCurtis2020 — Thu, 03 Feb 2022 14:23:25 GMT

>ZPP most likely was assigned to public interface,

Yes, this was the case and what I figured as well.

Re: Strict IP Address Check after 9.1.12

Ben-Price — Mon, 21 Feb 2022 22:15:15 GMT

@nikoo @JesseCurtis2020 This has been identified as a bug and PA have now updated the PAN OS 9.1.12 known issues documentation outlining the bug (PAN-186937).

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/known-issues/known-issues-related-to-pan-os-9-1-releases/pan-os-9-1-12-known-issues.html