I was wondering that shall I enable IP Spoof Protection on Untrust Zone, as it identify the source IP address as per routing table. Any request coming from Internet will have some public IP address (Normally) and PA will not have those network learnt as connected and it could be that PA drop that traffic by considering it an spoofed IP.
the firewall does not need to 'learn' the routes, it uses the routing table as such:
untrust has 0.0.0.0/0 for the default gateway, so ALL source ip addresses are allowed
trust has 192.168.0.0/24 connected and a route to a remote branch 192.168.1.0/24
now antispoofing allows 0.0.0.0/0 - (minus) 192.168.0.0/24 & 192.168.1.0/24
and so on
hope this makes sense :)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!