01-23-2022 11:51 PM - edited 01-24-2022 12:04 AM
Customer upgraded to 9.1.12 and after that it was noticed that for some of the zones, traffic was dropped. During debug,it was concluded that reason is Strict IP Address Check in the Zone Protection Profile:
"flow_dos_pf_strictip 1 0 drop flow dos Packets dropped: Zone protection option 'strict-ip-check'"
In the 9.1.12 release notes it is noted:
Fixed an issue where packed-based zone protection settings (such as Strict IP Address Check) were not applied to return traffic.
So one may think it is a bug that was fixed and customer has his routing table messed up, but after checking - routing seems to be fine. Traffic was dropped even from outside interface (with default route) to GlobalProtect interface which is loopback on the device. Same for Outside <-> DMZ traffic, which is directly connected interface, so essentially no dynamic/static routing is done there.
Behavior can be confirmed and reproduced by turning on and off strict IP check in the zone protection profile.
Can anyone confirm this? Checking before opening TAC case.
Edit a bit later: PBR is not configured.
01-26-2022 05:18 PM
I have just run into the same issue when going along the upgrade path to 10.1.3, when we hit 9.1.12, GP VPN and IPsec VPN both broke. Turned off 'strict-IP-check' on the internet zone protection profile and both VPNs are working again. Haven't re-tested on 10.1.3 as yet.
Only thing I noticed was our local VPN IP address is on a loopback address in the internet zone, the below KB article seems to suggest that 'strict-IP-check' can cause an issue with loopback addresses, in saying that not sure why it only just became a problem with 9.1.12.
Did you end up raising this with PA support? or find a solution here?
01-26-2022 11:55 PM
I noted that article as well, but my understanding loopback address was mean to be 127.0.0.1 given the context along with broadcast, network, etc. addresses. Not sure if my guess was correct, though.
Currently I have not opened a case, would still like to check the effect on traffic passing via the firewall - as that was seen in the customer case as well, so it did not seem to be related to Palo Alto assigned IPs only. Was hoping that someone from PA may confirm this behavior as that would mean less guessing and poking around.
As for now left the workaround - strict IP check disabled.
01-27-2022 02:22 PM
02-02-2022 12:06 PM
Experiencing similar behavior. Suddenly traffic across a WPN was being dropped and did not even have a ZPP on it. Running 9.1.12.
Followed this KB to find it which was helpful. Unchecked strict IP check and returned to normal.
02-02-2022 02:06 PM
@nikoo @JesseCurtis2020 My client has updated there firewall to PAN OS 10.1.3. I have asked them to re-enabled the strict IP check and see if the issue remains on that version.
02-02-2022 10:31 PM
@JesseCurtis2020, ZPP most likely was assigned to public interface, as I had similar behavior with VPN traffic being dropped and sounds like the same issue, yeah.
@Ben-Price, that can be good to know for future reference. In my case though customer is running PA-3xxx series, so no possibility to go above 9.1.
02-03-2022 06:23 AM
>ZPP most likely was assigned to public interface,
Yes, this was the case and what I figured as well.
02-21-2022 02:15 PM
@nikoo @JesseCurtis2020 This has been identified as a bug and PA have now updated the PAN OS 9.1.12 known issues documentation outlining the bug (PAN-186937).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!