This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

PBF conflict with "ip strict option" in zoon protection

Elmokadem
L2 Linker

‎09-21-2020 08:18 AM

Hi All

i have a scenario where the traffic works fine if it's forwarded by the routing table (and nat is applied)

when i used pbf, it didn't work, checking global counters i found oacket are dropped and the reason is "strict ip" option in the zone protection profile.

I run debug flow basic and got this message : 

"source ip address in packet does not belong to interface address, packet dropped" 

unchecking this option fixed the issue.

 

I did little research on this option and found it's releated to malformed packets not spoofing 

 

we have spoofing check enabled but it's not affecting the operation (tried disabling it but everything is same)

 

So i see strict is making the spoof check but on the return traffic . Is that normal ?! 

 

PAN OS 9.0.9-h1

 

Thanks!

Mostafa Elmokadem
1 person had this problem.
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks