https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50950#M37495 <HTML><HEAD></HEAD><BODY><P>Would it?</P><P></P><P>Cant you through zones define which networks are expected on which end of the vwire?</P><P></P><P>Perhaps it needs a feature request similar to how vwire filters 802.1Q tagged vlans.</P></BODY></HTML> Thu, 01 Aug 2013 19:43:31 GMT mikand 2013-08-01T19:43:31Z https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50944#M37489 <HTML><HEAD></HEAD><BODY><P>Dear,</P><P></P><P>We have created a zone protection profile with protection against "Spoofed IP address".</P><P>We have put this protection profile on a vwire interface.</P><P>Question:</P><P>What will happen since a vwire interface has no IPs?</P><P>Will this "feature" be ignored, or what will happen / how can we configure this to apply the protection?</P><P></P><P>KR</P></BODY></HTML> Thu, 01 Aug 2013 13:17:06 GMT https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50944#M37489 mr.linus 2013-08-01T13:17:06Z https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50945#M37490 <HTML><HEAD></HEAD><BODY><P>Hi Linus,</P><P>As the vwire interfaces dont have an IP address, they wouldnt be subjected to IP spoofed attacks. But if you want to protect the servers behind the vwire interfaces, you can deploy a DoS Protection policy with a DoS protection profile, which includes protection for the IP spoof attacks as well.</P><P></P><P>Best regards,</P><P>Karthik&nbsp; </P></BODY></HTML> Thu, 01 Aug 2013 13:29:08 GMT https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50945#M37490 kprakash 2013-08-01T13:29:08Z https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50946#M37491 <HTML><HEAD></HEAD><BODY><P>Hi Linus,</P><P>I just verified that the DoS Protection profile doesnt support checking for Spoofed IPs. The firewall can detect an IP address as being spoofed, if it sees the packet on a different interface than the one for which it has learnt the route for. As there is no routing information per se on the vwire interfaces, the PANFW, ignores the route checks for the source and the destination IP addresses, and hence ignores the IP spoof check for these packets.</P><P></P><P>BR,</P><P>Karthik RP</P></BODY></HTML> Thu, 01 Aug 2013 13:56:57 GMT https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50946#M37491 kprakash 2013-08-01T13:56:57Z https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50947#M37492 <HTML><HEAD></HEAD><BODY><P>seems logical, but is there a way we can add IP information to the vwires so we can use this feature?</P><P>I know that when we create sub-vwire-interfaces we can use classifiers, would this be an option?</P></BODY></HTML> Thu, 01 Aug 2013 14:20:23 GMT https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50947#M37492 mr.linus 2013-08-01T14:20:23Z https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50948#M37493 <HTML><HEAD></HEAD><BODY><P>No Mr.linus,</P><P>that would break the concept of using a vwire. but I would recommend converting the vwire interfaces to layer 3 interfaces, unless there is a company norm for you to use vwire interfaces. </P><P></P><P>Best regards,</P><P>Karthik RP</P></BODY></HTML> Thu, 01 Aug 2013 14:34:58 GMT https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50948#M37493 kprakash 2013-08-01T14:34:58Z https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50949#M37494 <HTML><HEAD></HEAD><BODY><P>Alright, thanks for the info.</P></BODY></HTML> Thu, 01 Aug 2013 14:43:34 GMT https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50949#M37494 mr.linus 2013-08-01T14:43:34Z https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50950#M37495 <HTML><HEAD></HEAD><BODY><P>Would it?</P><P></P><P>Cant you through zones define which networks are expected on which end of the vwire?</P><P></P><P>Perhaps it needs a feature request similar to how vwire filters 802.1Q tagged vlans.</P></BODY></HTML> Thu, 01 Aug 2013 19:43:31 GMT https://live.paloaltonetworks.com/t5/general-topics/spoofed-ip-address-zone-protection-of-vwire/m-p/50950#M37495 mikand 2013-08-01T19:43:31Z