For details on cookie usage on our site, read our Privacy Policy
IP Drop - Spoofing - Internal Zones Only?
- LIVEcommunity
- Discussions
- Best Practice Assessment Discussions
- IP Drop - Spoofing - Internal Zones Only?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
IP Drop - Spoofing - Internal Zones Only?
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-25-2022 08:11 AM
I am trying to understand why the PAN-OS documentation seems to suggest that when configuring and applying Zone Protection Profiles, for IP Spoofing protection (IP Drop-Spoofed IP address), that it should be enabled for 'Internal Zones Only' (see references below). This appears to be counter to every discussion, video tutorial (both PA sponsored and other), and best practices/benchmarks I have read/seen where IP Spoof protections are recommended to be enabled for all zones, including untrusted/Internet facing zones.
Am I mis-reading/understanding the documentation or is it really the case the 'Discard-IP-Spoof' is NOT recommended for a Zone Protection profile meant to be applied to an untrust/Internet facing zone?
Thanks.
Reference:
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2022 09:58 AM
How would this work for external zones? Here is what the feature accomplishes:
Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
So, an internal zone (receiver of ingress packets) checks that wherever the packet says it is going, is both reachable from the table on hand, and that table matches the zone the packet is coming into. Else, drop.
On an external zone, you don't control the routing table, so how would that check be accomplished?
- Practical XFF usecase in General Topics
- Can only access DMZ server using private address, U-turn NAT not working in General Topics
- PBR/PBF to DMZ then Internet in General Topics
- GlobalProtect gateway not working as intended in GlobalProtect Discussions
- DUAL ISP and PFB with single or multiple Virtual Routers in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
