A good rule of thumb is to never use ANY as a source address unless you actually need to. For example your Trust zone rules should at the very least be limited to IP addresses that you actually assign from that zone.
Also to be clear, if you use ANY then it allows exactly that, you don't need to assign the IP to that zone for it to be allowed.
as @BPry has mentioned already any means from anywhere, even from the different subnet. A good example is DNAT. You allow any ip from the lnternet to access your internal server. So in your policy, you configuring ANY as a source ip going to untrust zone. Let's say your untrust interface has 126.96.36.199/24 ip address assigned. ANY means any ip addresses, even outside of this subnet are allowed (e.g 188.8.131.52, 184.108.40.206 etc).
No, a zone is a logical area and you will have at least one interface in that zone. So you have one interface in the zone. That interface connected to the router, then we do have another router and so on. Routers always interconnect networks (different networks/subnets). With configuration "any" firewall will allow any source ip coming into that interface, as l said earlier even from the outside of the interface subnet. If you have multiple interfaces withing the same zone, any ip outside the zone. So ip address not necessarily should be directly connected to the PA, but logically they will be in the same zone.
It also depends on your routing table.
So let's assume you have interface eth1/1 in zone "INTERNAL". All your internal networks are somewhere in 10.0.0.0/8 and are reachable through an internal router. To keep the routing easy you have one route for the 10.0.0.0/8 network towards your router.
Now if there somehow traffic from 192.168.100.100 arrives at your firewall on eth1/1 (Zone INTERNAL), then this traffic is not allowed even you have allowed "any" in the source address column and INTERNAL as source zone in your security policy. This packet (and everything else which does not come from 10.0.0.0/8) will get dropped as ip spoof attack.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!