https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/407183#M92214 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;incoming connections on one interface of the dual-homed system will be replied to via the default route (with the lowest metric) on the host. one interface will handle incoming connections properly, while the other will send replies out of the 'wrong' interface.</P><P>&nbsp;</P><P>this is just a single potential way to find dual homed hosts, and not a necessity</P> Mon, 17 May 2021 08:00:34 GMT Thyrion 2021-05-17T08:00:34Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/406270#M92082 <P>Is it possible to detect dual homed hosts connected to two or more security zones at the same time.</P> Wed, 12 May 2021 06:22:54 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/406270#M92082 JacobHusted 2021-05-12T06:22:54Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/406369#M92093 <P>you'll have many 'incomplete' sessions in one zone , and many non-syn-tcp in the other zone for incoming connections</P><P>outgoing you will not notice as the host will likely 'stick' to one interface for all/some of it's sessions.&nbsp;</P><P>only if the dual-homed system is set up as a gateway/router/... to pass along packets, you may see unexpected IP addresses in either zone. this can be addressed by enabling anti spoofing in a zone protection profile&nbsp;</P><P>&nbsp;</P> Wed, 12 May 2021 13:14:10 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/406369#M92093 Thyrion 2021-05-12T13:14:10Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/407122#M92200 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/80142">@JacobHusted</a>&nbsp;</P> <P>Depending on the routing configured on these hosts there is no way to detect these hosts. Unlike what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170451">@Thyrion</a>&nbsp;wrote, it does not need to be the case that you will see a lot of incomplete sessions or sessions with wrong source IPs in the wrong zones so if these hosts are configured correctly then also the anti spoofing feature does not help to prevent such connections.</P> <P>So the best way probably to resolve these issues is to find out how it is possible for these hosts to simultanously connect to multiple networks behind your firewall and then try to implement preventions to eliminate this possibility for the users. If this still need to be possible for at least some computers, make sure you secure the network as good as possible from both security zones <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 16 May 2021 16:02:21 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/407122#M92200 Remo 2021-05-16T16:02:21Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/407183#M92214 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;incoming connections on one interface of the dual-homed system will be replied to via the default route (with the lowest metric) on the host. one interface will handle incoming connections properly, while the other will send replies out of the 'wrong' interface.</P><P>&nbsp;</P><P>this is just a single potential way to find dual homed hosts, and not a necessity</P> Mon, 17 May 2021 08:00:34 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-firewall-dual-homed-devices-between-two-security-zones/m-p/407183#M92214 Thyrion 2021-05-17T08:00:34Z