What is the difference between "Spoofed IP address" and "Strict IP Address Check" in Zone Protection

What is the difference between "Spoofed IP address" and "Strict IP Address Check" in Zone Protection

21393
Created On 09/14/21 08:18 AM - Last Modified 07/31/23 12:48 PM


Question


What are the differences between "Spoofed IP address" and "Strict IP Address Check" in Zone Protection?

Environment


  • All PAN-OS version
  • Firewall
  • Zone Protection enabled with "Spoofed IP address" and "Strict IP Address Check"


Answer


Spoofed IP address check Behaviour in the Firewall
  • When the Spoofed IP address is enabled, the firewall will perform a reverse route lookup to the source IP and verifies if the interface belongs to the same zone as zone of the ingress interface.
  • Here Firewall only checks if the zones are the same and it does not check if the interface are same or not.
  • Firewall performs the Spoofed IP address in the slowpath stage. Below debug log is an example for the same.
    Packet received at ingress stage, tag 0, type ORDERED
    Packet info: len 98 port 18 interface 18 vsys 1
      wqe index 62184 packet 0x0xc005959a00, HA: 0, IC: 0
    Packet decoded dump:
    L2:     00:50:56:9b:da:e4->00:50:56:9b:5f:a5, type 0x0800
    IP:     20.20.20.1->10.10.10.2, protocol 1
            version 4, ihl 5, tos 0x00, len 84,
            id 35688, frag_off 0x4000, ttl 64, checksum 8307(0x7320)
    ICMP:   type 8, code 0, checksum 11017, id 59261, seq 1
    Flow lookup, msgtype 0, wp.sport 8,wp.dport 0, wp.l4info 524288 key word0 0x10002e77d0001 word1 0  word2 0x1141414ffff0000 word3 0x0 word4 0x20a0a0affff0000
    Session setup: vsys 1
    No active flow found, enqueue to create session
    
    == 2021-09-14 00:02:08.767 -0700 ==
    Packet received at slowpath stage, tag 4248029283, type ATOMIC
    Packet info: len 98 port 18 interface 18 vsys 1
      wqe index 62184 packet 0x0xc005959a00, HA: 0, IC: 0
    Packet decoded dump:
    L2:     00:50:56:9b:da:e4->00:50:56:9b:5f:a5, type 0x0800
    IP:     20.20.20.1->10.10.10.2, protocol 1
            version 4, ihl 5, tos 0x00, len 84,
            id 35688, frag_off 0x4000, ttl 64, checksum 8307(0x7320)
    ICMP:   type 8, code 0, checksum 11017, id 59261, seq 1
    Session setup: vsys 1
    Packet dropped, IP spoof on interface ethernet1/3               <<<==========
    Packet dropped, Session setup failed

Strict IP Address Check Behaviour in the Firewall
  • When Strict IP Address Check is enabled the firewall checks 2 conditions. If any one of the following conditions fails, the firewall will drop the packet.
  1. The firewall checks if the source or destination IP is same as the network interface address, broadcast address, loopback address, link-local address, unspecified address, or reserved for future use. 
  2. The firewall will perform a reverse route lookup to the source IP. The source IP must be routable over the ingress interface of the traffic. Here the firewall will perform the check on Interface level and not on zone.
  • Firewall will perform the "Strict IP Address" in the ingress stage itself. Below debug log is an example for the same.
    Packet received at ingress stage, tag 0, type ORDERED
    Packet info: len 98 port 18 interface 18 vsys 1
      wqe index 62190 packet 0x0xc00722a280, HA: 0, IC: 0
    Packet decoded dump:
    L2:     00:50:56:9b:da:e4->00:50:56:9b:5f:a5, type 0x0800
    IP:     20.20.20.1->10.10.10.2, protocol 1
            version 4, ihl 5, tos 0x00, len 84,
            id 43157, frag_off 0x4000, ttl 64, checksum 62293(0x55f3)
    ICMP:   type 8, code 0, checksum 40388, id 52606, seq 1
    source ip address in packet does not belong to interface address     <<<=========
    Packet dropped, zone protection triggered on interface ethernet1/3
  • If both "Spoofed IP address" and "Strict IP Address" are enabled in the zone protection, then the firewall will drop the packet due to "Strict IP Address" as the check happens in ingress stage itself.
     


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LnmCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language