Palo Alto Networks Knowledgebase: Return Traffic is Denied with PBF and Spoofed IP Enabled Under Zone Protection

Return Traffic is Denied with PBF and Spoofed IP Enabled Under Zone Protection

8646
Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:45 PM
Resolution

Overview

PBF is generally used when there are 2 ISPs or if there are 2 routes for traffic to get to the next hop. PBF takes precedence over the routing table. If PBF fails the routing table is used to route traffic.

 

Issue

Traffic stops working if there is a PBF policy in place and if there is a static route added that points to a redundant route. Traffic also stops working if there is a zone protection configured with "spoofed IP address" enabled.

 

imageFile.png

 

Traffic is dropped due to zone protection.

 

(active)> show counter global filter packet-filter yes delta yes

flow_dos_pf_ipspoof                        2        0 drop      flow      dos       Packets dropped: Zone protection option 'discard-ip-spoof

 

Cause

IP spoof protection uses a routing table to verify if the source IP of the traffic is arriving on the correct interface. With PBF enabled traffic will be on a different interface. If the routing table points to a different interface, the device thinks the packet has been spoofed and discards the packet.

 

Resolution

Disable IP spoofing.

 

owner: ashaikh



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClonCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language