12-13-2016 11:32 PM
Dear Experts,
I was wondering that shall I enable IP Spoof Protection on Untrust Zone, as it identify the source IP address as per routing table. Any request coming from Internet will have some public IP address (Normally) and PA will not have those network learnt as connected and it could be that PA drop that traffic by considering it an spoofed IP.
Please suggest.
Best Regards,
Fozail
12-14-2016 12:45 AM - edited 12-14-2016 12:46 AM
Hi Fozail
the firewall does not need to 'learn' the routes, it uses the routing table as such:
untrust has 0.0.0.0/0 for the default gateway, so ALL source ip addresses are allowed
except:
trust has 192.168.0.0/24 connected and a route to a remote branch 192.168.1.0/24
now antispoofing allows 0.0.0.0/0 - (minus) 192.168.0.0/24 & 192.168.1.0/24
and so on
hope this makes sense 🙂
12-14-2016 03:17 AM
Hi,
Thanks for the clarification, it makes sense.
Best Regards,
Fozail
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
