IP Drop - Spoofing - Internal Zones Only?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IP Drop - Spoofing - Internal Zones Only?

L0 Member

     I am trying to understand why the PAN-OS documentation seems to suggest that when configuring and applying Zone Protection Profiles, for IP Spoofing protection (IP Drop-Spoofed IP address), that it should be enabled for 'Internal Zones Only' (see references below). This appears to be counter to every discussion, video tutorial (both PA sponsored and other), and best practices/benchmarks I have read/seen where IP Spoof protections are recommended to be enabled for all zones, including untrusted/Internet facing zones.

 

     Am I mis-reading/understanding the documentation or is it really the case the 'Discard-IP-Spoof' is NOT recommended for a Zone Protection profile meant to be applied to an untrust/Internet facing zone?

 

Thanks.

 

Reference:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-network-profi...

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/network/network-network-profi...

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profi...

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/network-network-prof...

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-prof...

1 REPLY 1

L5 Sessionator

How would this work for external zones? Here is what the feature accomplishes:

 

Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.

 

So, an internal zone (receiver of ingress packets) checks that wherever the packet says it is going, is both reachable from the table on hand, and that table matches the zone the packet is coming into. Else, drop.

 

On an external zone, you don't control the routing table, so how would that check be accomplished?

Help the community! Add tags & mark solutions please.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!