09-21-2020 08:18 AM
Hi All
i have a scenario where the traffic works fine if it's forwarded by the routing table (and nat is applied)
when i used pbf, it didn't work, checking global counters i found oacket are dropped and the reason is "strict ip" option in the zone protection profile.
I run debug flow basic and got this message :
"source ip address in packet does not belong to interface address, packet dropped"
unchecking this option fixed the issue.
I did little research on this option and found it's releated to malformed packets not spoofing
we have spoofing check enabled but it's not affecting the operation (tried disabling it but everything is same)
So i see strict is making the spoof check but on the return traffic . Is that normal ?!
PAN OS 9.0.9-h1
Thanks!
