Palo Alto Networks Knowledgebase: Return Traffic is Denied with PBF and Spoofed IP Enabled Under Zone Protection
Return Traffic is Denied with PBF and Spoofed IP Enabled Under Zone Protection
Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:45 PM
PBF is generally used when there are 2 ISPs or if there are 2 routes for traffic to get to the next hop. PBF takes precedence over the routing table. If PBF fails the routing table is used to route traffic.
Traffic stops working if there is a PBF policy in place and if there is a static route added that points to a redundant route. Traffic also stops working if there is a zone protection configured with "spoofed IP address" enabled.
Traffic is dropped due to zone protection.
(active)> show counter global filter packet-filter yes delta yes
flow_dos_pf_ipspoof 2 0 drop flow dos Packets dropped: Zone protection option 'discard-ip-spoof
IP spoof protection uses a routing table to verify if the source IP of the traffic is arriving on the correct interface. With PBF enabled traffic will be on a different interface. If the routing table points to a different interface, the device thinks the packet has been spoofed and discards the packet.