Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
“欺骗”有什么区别IP地址”和“严格IP区域保护中的“地址检查” - Knowledge Base - Palo Alto Networks

“欺骗”有什么区别IP地址”和“严格IP区域保护中的“地址检查”

25093
Created On 09/14/21 08:18 AM - Last Modified 07/31/23 12:48 PM


Question


“欺骗”和“欺骗”之间有什么区别IP地址”和“严格IP区域保护中的地址检查”?

Environment


  • 全部PAN-OS版本
  • Firewall
  • 区域保护启用“欺骗IP地址”和“严格IP地址查询"

Answer


欺骗IP地址检查行为在 Firewall
  • 当欺骗IP地址被启用时,firewall将对源执行反向路由查找IP并验证接口是否与入口接口的区域属于同一区域。
  • 这里Firewall只检查区域是否相同,不检查接口是否相同。
  • Firewall 执行欺骗IP地址在慢路径阶段。 下面的调试日志是相同的示例。
    Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 98 port 18 interface 18 vsys 1
  wqe index 62184 packet 0x0xc005959a00, HA: 0, IC: 0
Packet decoded dump:
L2:     00:50:56:9b:da:e4->00:50:56:9b:5f:a5, type 0x0800
IP:     20.20.20.1->10.10.10.2, protocol 1
        version 4, ihl 5, tos 0x00, len 84,
        id 35688, frag_off 0x4000, ttl 64, checksum 8307(0x7320)
ICMP:   type 8, code 0, checksum 11017, id 59261, seq 1
Flow lookup, msgtype 0, wp.sport 8,wp.dport 0, wp.l4info 524288 key word0 0x10002e77d0001 word1 0  word2 0x1141414ffff0000 word3 0x0 word4 0x20a0a0affff0000
Session setup: vsys 1
No active flow found, enqueue to create session

== 2021-09-14 00:02:08.767 -0700 ==
Packet received at slowpath stage, tag 4248029283, type ATOMIC
Packet info: len 98 port 18 interface 18 vsys 1
  wqe index 62184 packet 0x0xc005959a00, HA: 0, IC: 0
Packet decoded dump:
L2:     00:50:56:9b:da:e4->00:50:56:9b:5f:a5, type 0x0800
IP:     20.20.20.1->10.10.10.2, protocol 1
        version 4, ihl 5, tos 0x00, len 84,
        id 35688, frag_off 0x4000, ttl 64, checksum 8307(0x7320)
ICMP:   type 8, code 0, checksum 11017, id 59261, seq 1
Session setup: vsys 1
Packet dropped, IP spoof on interface ethernet1/3
Packet dropped, Session setup failed

严格的IP地址查询中的行为Firewall
  • 当严格IP地址检查已启用firewall检查 2 个条件。 如果下列条件之一不成立firewall将丢弃数据包。
  1. 这firewall检查源或目标IP与网络接口地址、广播地址、环回地址、链路本地地址、未指定地址或保留以供将来使用相同。
  2. 这firewall将对源执行反向路由查找IP. 来源IP必须可通过流量的入口接口进行路由。 这里的firewall将在接口级别而不是区域上执行检查。
  • Firewall 将执行“严IP地址”在入口阶段本身。 下面的调试日志是相同的示例。
    Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 98 port 18 interface 18 vsys 1
  wqe index 62190 packet 0x0xc00722a280, HA: 0, IC: 0
Packet decoded dump:
L2:     00:50:56:9b:da:e4->00:50:56:9b:5f:a5, type 0x0800
IP:     20.20.20.1->10.10.10.2, protocol 1
        version 4, ihl 5, tos 0x00, len 84,
        id 43157, frag_off 0x4000, ttl 64, checksum 62293(0x55f3)
ICMP:   type 8, code 0, checksum 40388, id 52606, seq 1
source ip address in packet does not belong to interface address
Packet dropped, zone protection triggered on interface ethernet1/3
  • 如果两者都“被欺骗IP地址”和“严格IP地址"在区域保护中启用,则firewall将丢弃数据包由于“严格IP地址”,因为检查发生在入口阶段本身。
     
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,684
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LnmCAE&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language