Packets dropped: Zone protection option 'strict-ip-check'

Packets dropped: Zone protection option 'strict-ip-check'

28886
Created On 05/14/20 00:23 AM - Last Modified 01/10/24 18:47 PM


Symptom


  • Ping and trace-route to the destination are not successful.
  • Troubleshooting using global counters display strict-ip-check as the cause of packet drops.         
> show counter global filter delta yes packet-filter yes
...
               Packets dropped: Zone protection option 'strict-ip-check

Environment


  • PANOS-9.0.6
  • Palo Alto Firewall.
  • Packet drops to some destinations through the firewall.
  • Zone Protection with Strict IP check configured.

Cause


Packets are discarded because of malformed source or destination IP addresses.
Example: Discard packets where the source or destination IP address is the same as the network interface address, is a broadcast address, a loopback address, a link-local address, an unspecified address, or is reserved for future use

Resolution


  1. First check which zone protection profile is involved 
User-added image
  1. Unchecked the "Strict IP Address Check" option under GUI: network > network-profiles >zone-protection > packet base attack protection > Strict IP Address Check. 
User-added image
 
User-added image




 

Additional Information


Please also check 

What is the difference between "Spoofed IP address" and "Strict IP Address Check" in Zone Protection
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U3FCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language