Traffic getting dropped on PA-VM in AWS in GWLB mode when zone protection profile is applied with "Spoofed IP address" and/or "Strict IP Address Check".

• Traffic getting dropped on PA-VM in AWS deployed in GWLB mode when zone protection profile is applied with "Spoofed IP address" and/or "Strict IP Address Check".

• Setup with PA-VM in AWS deployed in GWLB mode resembles Router on a stick config.

name                id    vsys zone             forwarding               tag    address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1    Zone1            vr:virtual-router        0      10.11.0.241/24
ethernet1/1.100     256   1    Zone2            vr:virtual-router        100    N/A
ethernet1/1.200     257   1    Zone3            vr:virtual-router        200    N/A
ethernet1/1.300     258   1    Zone4            vr:virtual-router        300    N/A

• Even though the sub-interfaces are of type "Layer 3", no IP addresses are assigned  and no routes pointing to those sub-interfaces.

admin@PA-vm> show interface ethernet1/1.100
--------------------------------------------------------------------------------
Name: ethernet1/1.100, ID: 256, 802.1q tag: 100
Operation mode: layer3
Virtual router virtual-router
Interface MTU 1500
Interface management profile: N/A
Service configured: 
Zone: obew-ap-southeast-1, virtual system: vsys1
Adjust TCP MSS: no
Policing: no

• The forwarding decisions are made based on VPC endpoint to sub-interface mapping.
• In the routing table, routes will be mapped only to the parent interface(e1/1 in our example).
• When a zone protection profile with "Spoofed IP address" check is applied to zones associated with sub-interface, all the traffic hitting on sub-interface will drop as IP spoofed packet with flow_dos_pf_ipspoof global counters (show counter global filter delta yes).

admin@PA-vm> show routing route
{noformat}
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: virtual-router (id 2)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   10.11.0.1                              10     A S              ethernet1/1
10.11.0.0/24                                10.11.0.241                            0      A C              ethernet1/1
10.11.0.241/32                              0.0.0.0                                 0      A H

• PA-VM in AWS.
• PAN-OS 10.0 and above.
• GWLB mode deployed.
• Zone protection applied on sub-interfaces.

• "Spoofed IP address" and "Strict IP Address Check" are not supported with PA-VM in AWS deployed in GWLB mode.
• IP spoofing is handled by AWS already and it's enabled in AWS by default.
• Suggest having a strong Network Security group with communication inside the subnet to the GWLB.
• Since AWS has a strong anti-spoofing policy enabled by default, this feature was deemed not needed on PA-VM Firewall.

1. Disable "Spoofed IP address" and "Strict IP Address Check" options in associated zone protection profiles.
2. This is done by unchecking the "spoofed IP address" and "Strict IP Address Check" under GUI: Network > Network Profiles > Zone Protection > (profile name) > Packet Based Attack Protection 
3. Click "OK" and "Commit" the changes.
   .