https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157565#M51665 <P>To be exact IP spoof attack is not detected by default but only if zone protection is applied to the zone and ip spoof checkbox checked (it is best practice to have it configured).</P> Sun, 21 May 2017 03:07:52 GMT Raido_Rattameister 2017-05-21T03:07:52Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157194#M51575 <P>If you enter a specific source zone but any for the source address what traffic is really allowed? Does is only allow addresses that are listed in the specified zone or is it truly any IP address?</P> Thu, 18 May 2017 14:45:39 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157194#M51575 jdprovine 2017-05-18T14:45:39Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157202#M51577 <P>Zone =&gt; Palo Interface (s) =&gt; any ip that Palo sees coming into this interface&nbsp;(s) is allowed.</P> Thu, 18 May 2017 15:10:32 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157202#M51577 TranceforLife 2017-05-18T15:10:32Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157210#M51579 <P>but you can limited the IP ranges inside the zone configuration can't you</P> Thu, 18 May 2017 15:49:38 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157210#M51579 jdprovine 2017-05-18T15:49:38Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157211#M51580 <P>Sure you can limit address based on single ip address, address groups or subnets etc.</P> Thu, 18 May 2017 15:57:32 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157211#M51580 TranceforLife 2017-05-18T15:57:32Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157240#M51587 <P>So it would be any of the IP addresses assigned in the specific Zone, not just any of all IP's</P> Thu, 18 May 2017 18:05:48 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157240#M51587 jdprovine 2017-05-18T18:05:48Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157241#M51588 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>A good rule of thumb is to never use ANY as a source address unless you actually need to. For example your Trust zone rules should at the very least be limited to IP addresses that you actually assign from that zone.</P><P>Also to be clear, if you use ANY then it allows exactly that, you don't need to assign the IP to that zone for it to be allowed.&nbsp;</P> Thu, 18 May 2017 18:18:49 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157241#M51588 BPry 2017-05-18T18:18:49Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157262#M51590 <P>as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;has mentioned already any means from anywhere, even from the&nbsp;different&nbsp;subnet. A good example is DNAT. You allow any ip&nbsp;from the lnternet to access your internal server. So in your policy, &nbsp;you configuring ANY as a source ip&nbsp;going to untrust zone. Let's say your untrust interface has 92.16.0.1/24 ip&nbsp;address assigned. ANY means any&nbsp;ip addresses, even outside of this subnet&nbsp;are allowed (e.g 84.8.9.1, 74.8.6.1 etc).</P> Thu, 18 May 2017 19:37:32 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157262#M51590 TranceforLife 2017-05-18T19:37:32Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157495#M51649 <P>these rules were migrated over from and ASA 5510 before I even got here, and I agree the fewer the any's the better. &nbsp;But if you have a range of IP's addressed to the Source Zone, doesn't the any under IP addresses only mean any of the IP's configured on the Zone?</P> Fri, 19 May 2017 19:26:52 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157495#M51649 jdprovine 2017-05-19T19:26:52Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157496#M51650 <P>No, a zone is a logical area and you will have at least one interface in that zone.&nbsp;So you have one interface in the&nbsp;zone. That interface connected to the router, then we do have another router and so on.&nbsp;Routers always interconnect networks (different networks/subnets). &nbsp;With configuration "any" firewall will allow any source&nbsp;ip&nbsp;coming into that interface, as l said earlier even from the outside of the&nbsp;interface subnet. If you have multiple interfaces withing the same zone, any ip&nbsp;outside the&nbsp;zone. So ip address not <SPAN>necessarily&nbsp;</SPAN>should be directly connected to the PA, but logically they will be in the same zone.</P> Fri, 19 May 2017 19:55:59 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157496#M51650 TranceforLife 2017-05-19T19:55:59Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157508#M51655 <P>It also depends on your routing table.</P><P>&nbsp;</P><P>So let's assume you have interface eth1/1 in zone "INTERNAL". All your internal networks are somewhere in 10.0.0.0/8 and are reachable through an internal router. To keep the routing easy you have one route for the 10.0.0.0/8 network towards your router.</P><P>Now if there somehow traffic from 192.168.100.100 arrives at your firewall on eth1/1 (Zone INTERNAL), then this traffic is not allowed even you have allowed "any" in the source address column and INTERNAL as source zone in your security policy. This packet (and everything else which does not come from 10.0.0.0/8) will get dropped as ip spoof attack.</P> Fri, 19 May 2017 19:58:12 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157508#M51655 Remo 2017-05-19T19:58:12Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157565#M51665 <P>To be exact IP spoof attack is not detected by default but only if zone protection is applied to the zone and ip spoof checkbox checked (it is best practice to have it configured).</P> Sun, 21 May 2017 03:07:52 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157565#M51665 Raido_Rattameister 2017-05-21T03:07:52Z https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157568#M51666 <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a> : of course, you're absolutely right. Sometimes the "best practices" are more/(too much) "must" settings to me <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span> Sun, 21 May 2017 07:35:13 GMT https://live.paloaltonetworks.com/t5/general-topics/source-zone-source-address/m-p/157568#M51666 Remo 2017-05-21T07:35:13Z