For details on cookie usage on our site, read our Privacy Policy
Strict IP Address Check after 9.1.12
- LIVEcommunity
- Discussions
- General Topics
- Strict IP Address Check after 9.1.12
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Strict IP Address Check after 9.1.12
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-23-2022 11:51 PM - edited 01-24-2022 12:04 AM
Customer upgraded to 9.1.12 and after that it was noticed that for some of the zones, traffic was dropped. During debug,it was concluded that reason is Strict IP Address Check in the Zone Protection Profile:
"flow_dos_pf_strictip 1 0 drop flow dos Packets dropped: Zone protection option 'strict-ip-check'"
In the 9.1.12 release notes it is noted:
PAN-175934 | Fixed an issue where packed-based zone protection settings (such as Strict IP Address Check) were not applied to return traffic. |
So one may think it is a bug that was fixed and customer has his routing table messed up, but after checking - routing seems to be fine. Traffic was dropped even from outside interface (with default route) to GlobalProtect interface which is loopback on the device. Same for Outside <-> DMZ traffic, which is directly connected interface, so essentially no dynamic/static routing is done there.
Behavior can be confirmed and reproduced by turning on and off strict IP check in the zone protection profile.
Can anyone confirm this? Checking before opening TAC case.
Edit a bit later: PBR is not configured.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-02-2022 02:06 PM
@nikoo @JesseCurtis2020 My client has updated there firewall to PAN OS 10.1.3. I have asked them to re-enabled the strict IP check and see if the issue remains on that version.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-02-2022 10:31 PM
@JesseCurtis2020, ZPP most likely was assigned to public interface, as I had similar behavior with VPN traffic being dropped and sounds like the same issue, yeah.
@Ben-Price, that can be good to know for future reference. In my case though customer is running PA-3xxx series, so no possibility to go above 9.1.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-03-2022 06:23 AM
>ZPP most likely was assigned to public interface,
Yes, this was the case and what I figured as well.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-21-2022 02:15 PM
@nikoo @JesseCurtis2020 This has been identified as a bug and PA have now updated the PAN OS 9.1.12 known issues documentation outlining the bug (PAN-186937).
- Threat Logs: Countries with no IP in General Topics
- Threat log Issue in General Topics
- GlobalProtect agent external gateway region restriction - portal still accessible in GlobalProtect Discussions
- XQL Query: Hunting Supply Chain Attack for 3CX in Cortex XDR Discussions
- Vulnerability in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
