No, a VR holds both static and dynamic routes, (if used). Lets say your VR looks like this: Route Gateway Interface 0.0.0.0/0 195.1.2.3 eth1 192.168.20.0/24 192.168.10.5 eth2 195.1.2.1/27 eth1 192.168.10.1/24 eth2 In the example above, using anti-spoofing on the zone with eth2 as a member interface would only allow hosts from the directly connected network 192.168.10.0/24 and the nexthop network 192.168.20.0/24 as these two networks are the only ones with valid return routes. The PAN-device extracts the source IP and source interface, (source zone) when the ingress packet arrives.
... View more