Packets dropped: Zone protection option 'strict-ip-check' - Knowledge Base - Palo Alto Networks

Packets dropped: Zone protection option 'strict-ip-check'

38440

Created On 05/14/20 00:23 AM - Last Modified 01/10/24 18:47 PM

Zone Protection

Zone and DoS Protection

9.0

PAN-OS

Symptom

Ping and trace-route to the destination are not successful.
Troubleshooting using global counters display strict-ip-check as the cause of packet drops.

> show counter global filter delta yes packet-filter yes
...
               Packets dropped: Zone protection option 'strict-ip-check

Environment

PANOS-9.0.6
Palo Alto Firewall.
Packet drops to some destinations through the firewall.
Zone Protection with Strict IP check configured.

Cause

Packets are discarded because of malformed source or destination IP addresses.
Example: Discard packets where the source or destination IP address is the same as the network interface address, is a broadcast address, a loopback address, a link-local address, an unspecified address, or is reserved for future use

Resolution

First check which zone protection profile is involved

Unchecked the "Strict IP Address Check" option under GUI: network > network-profiles >zone-protection > packet base attack protection > Strict IP Address Check.

Additional Information

Please also check

What is the difference between "Spoofed IP address" and "Strict IP Address Check" in Zone Protection

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)