Please advise, how does the PANOS handle antispoofing when there is no default route configured in a VR, only the policy based forwarding is enabled within that VR.
Does the policy based forwarding entry update the routing table entries.
The PANFW would still perform route lookup for the traffic coming in from the source zone/ source interface. If the PANFW detects that the traffic ingressing the traffic comes on the incorrect interface, it drops them as spoofed packets or with "no-arp-found" message. It cannot check the same for the destination address because, we are forcing the firewall to route the traffic out via another interface. After the traffic matches a PBF rule, the traffic is subjected to a security rule match, and a session would be setup for the traffic ( client to source and return traffic-source to client). Both the client to server and the server to client traffic is again subjected to other security checks.
Let me know if that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!