cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Spoofed IP address zone protection of vwire

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
mr.linus
mr.linus
L4 Transporter
‎08-01-2013 06:17 AM
‎08-01-2013 06:17 AM

Spoofed IP address zone protection of vwire

Dear,

We have created a zone protection profile with protection against "Spoofed IP address".

We have put this protection profile on a vwire interface.

Question:

What will happen since a vwire interface has no IPs?

Will this "feature" be ignored, or what will happen / how can we configure this to apply the protection?

KR

Labels:
0 Likes
Reply
kprakash
kprakash
L5 Sessionator
‎08-01-2013 06:29 AM
‎08-01-2013 06:29 AM

Re: Spoofed IP address zone protection of vwire

Hi Linus,

As the vwire interfaces dont have an IP address, they wouldnt be subjected to IP spoofed attacks. But if you want to protect the servers behind the vwire interfaces, you can deploy a DoS Protection policy with a DoS protection profile, which includes protection for the IP spoof attacks as well.

Best regards,

Karthik 

0 Likes
Reply
kprakash
kprakash
L5 Sessionator
‎08-01-2013 06:56 AM
‎08-01-2013 06:56 AM

Re: Spoofed IP address zone protection of vwire

Hi Linus,

I just verified that the DoS Protection profile doesnt support checking for Spoofed IPs. The firewall can detect an IP address as being spoofed, if it sees the packet on a different interface than the one for which it has learnt the route for. As there is no routing information per se on the vwire interfaces, the PANFW, ignores the route checks for the source and the destination IP addresses, and hence ignores the IP spoof check for these packets.

BR,

Karthik RP

Reply
mr.linus
mr.linus
L4 Transporter
‎08-01-2013 07:20 AM
‎08-01-2013 07:20 AM

Re: Spoofed IP address zone protection of vwire

seems logical, but is there a way we can add IP information to the vwires so we can use this feature?

I know that when we create sub-vwire-interfaces we can use classifiers, would this be an option?

0 Likes
Reply
kprakash
kprakash
L5 Sessionator
‎08-01-2013 07:34 AM
‎08-01-2013 07:34 AM

Re: Spoofed IP address zone protection of vwire

No Mr.linus,

that would break the concept of using a vwire. but I would recommend converting the vwire interfaces to layer 3 interfaces, unless there is a company norm for you to use vwire interfaces.

Best regards,

Karthik RP

0 Likes
Reply
mr.linus
mr.linus
L4 Transporter
‎08-01-2013 07:43 AM
‎08-01-2013 07:43 AM

Re: Spoofed IP address zone protection of vwire

Alright, thanks for the info.

0 Likes
Reply
mikand
mikand
L6 Presenter
‎08-01-2013 12:43 PM
‎08-01-2013 12:43 PM

Re: Spoofed IP address zone protection of vwire

Would it?

Cant you through zones define which networks are expected on which end of the vwire?

Perhaps it needs a feature request similar to how vwire filters 802.1Q tagged vlans.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2019 - Palo Alto Networks