https://live.paloaltonetworks.com/t5/general-topics/public-to-public-rfc-1918-blocks/m-p/343024#M85906 <P><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139406" target="_blank" rel="noopener">@shafi021</A><SPAN>&nbsp;it looks like&nbsp;</SPAN><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480" target="_blank" rel="noopener">@BPry</A><SPAN>&nbsp;got you taken care of with his reply.&nbsp; I would just add that even if your firewall isn't using a public IP, and&nbsp; your ISP was doing a source NAT on your outbound traffic, I wouldn't expect it to be doing any source NAT on the return traffic.&nbsp; You would most likely see that the return traffic has the proper public IPs.&nbsp; Also, the return traffic for established connections (those initiated from your LAN to the Internet) should be allowed anyway.&nbsp;</SPAN><BR /><BR /><SPAN>You would most likely only have an issue w/ RFC1918 traffic going from your Public zone to your LAN zone if you were both 1) using private IPs on your firewall's Public interface because your ISP is doing source NAT, and 2) needing some other device on the network between your firewall and ISP's device (the Public zone according to the firewall, but the private side according to the ISP's NAT device) to the firewall's LAN zone.</SPAN><BR /><BR /><SPAN>If you're interested in a more comprehensive BOGON list than just RFC1918, I'm a fan of CYMRU's Full Bogon list, which also includes public IP ranges not yet allocated by IANA.&nbsp; It can be used as an external dynamic list (EDL) on the Palo Alto firewall.</SPAN><BR /><A href="https://team-cymru.com/community-services/bogon-reference/bogon-reference-http/" target="_blank" rel="nofollow noopener noreferrer">https://team-cymru.com/community-services/bogon-reference/bogon-reference-http/</A></P> Tue, 27 Apr 2021 18:39:28 GMT OwenFuller 2021-04-27T18:39:28Z https://live.paloaltonetworks.com/t5/general-topics/public-to-public-rfc-1918-blocks/m-p/342944#M85897 <P>Hi,</P><P>&nbsp;</P><P>I am looking to block the RFC 1918 blocks coming from internet to our LAN zone. So, Policy will be Source zone: Public , IP: RFC1918 blocks, Destination zone: LAN, IP : any .<BR /><BR />Can you guys please confirm that creating this policy will fulfill my requirement?&nbsp;</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/107710">@OwenFuller</a>&nbsp;can you please give your input?&nbsp;</P><P><BR />Thank you&nbsp;</P><P>&nbsp;</P> Mon, 10 Aug 2020 00:17:50 GMT https://live.paloaltonetworks.com/t5/general-topics/public-to-public-rfc-1918-blocks/m-p/342944#M85897 shafi021 2020-08-10T00:17:50Z https://live.paloaltonetworks.com/t5/general-topics/public-to-public-rfc-1918-blocks/m-p/342962#M85900 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139406">@shafi021</a>,</P> <P>That will work as you expect. Are you actively seeing 1918 addresses coming across your untrust interface on the ISP side of things though? If so, the one thing you will want to double check is that your untrust interface actually has a public IP address being assigned to it, and not an RFC 1918 address which is being NAT'd by the carrier.&nbsp;</P> Mon, 10 Aug 2020 03:35:13 GMT https://live.paloaltonetworks.com/t5/general-topics/public-to-public-rfc-1918-blocks/m-p/342962#M85900 BPry 2020-08-10T03:35:13Z https://live.paloaltonetworks.com/t5/general-topics/public-to-public-rfc-1918-blocks/m-p/343024#M85906 <P><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/139406" target="_blank" rel="noopener">@shafi021</A><SPAN>&nbsp;it looks like&nbsp;</SPAN><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480" target="_blank" rel="noopener">@BPry</A><SPAN>&nbsp;got you taken care of with his reply.&nbsp; I would just add that even if your firewall isn't using a public IP, and&nbsp; your ISP was doing a source NAT on your outbound traffic, I wouldn't expect it to be doing any source NAT on the return traffic.&nbsp; You would most likely see that the return traffic has the proper public IPs.&nbsp; Also, the return traffic for established connections (those initiated from your LAN to the Internet) should be allowed anyway.&nbsp;</SPAN><BR /><BR /><SPAN>You would most likely only have an issue w/ RFC1918 traffic going from your Public zone to your LAN zone if you were both 1) using private IPs on your firewall's Public interface because your ISP is doing source NAT, and 2) needing some other device on the network between your firewall and ISP's device (the Public zone according to the firewall, but the private side according to the ISP's NAT device) to the firewall's LAN zone.</SPAN><BR /><BR /><SPAN>If you're interested in a more comprehensive BOGON list than just RFC1918, I'm a fan of CYMRU's Full Bogon list, which also includes public IP ranges not yet allocated by IANA.&nbsp; It can be used as an external dynamic list (EDL) on the Palo Alto firewall.</SPAN><BR /><A href="https://team-cymru.com/community-services/bogon-reference/bogon-reference-http/" target="_blank" rel="nofollow noopener noreferrer">https://team-cymru.com/community-services/bogon-reference/bogon-reference-http/</A></P> Tue, 27 Apr 2021 18:39:28 GMT https://live.paloaltonetworks.com/t5/general-topics/public-to-public-rfc-1918-blocks/m-p/343024#M85906 OwenFuller 2021-04-27T18:39:28Z