How to troubleshoot spoofed ip on Palo Alto Networks firewall?
23994
Created On 07/18/20 00:17 AM - Last Modified 03/15/21 21:34 PM
Objective
The purpose of this document is to provide the steps to troubleshoot spoofed ip showing in the threat log.
Environment
- PANOS versions: 8.1.x, 9.0x, 9.1.x and 10.0.x.
- Palo Alto Firewall.
- Zone Protection: Packet Based Attack Protection configured.
- Spoofed IP address messages seen in threat log.
Procedure
- Review the traffic log and the threat log. Look for source IP address, destination IP address, source zone, destination zone, ingress interface, and the egress interface:
Traffic log
Threat log:
Note: Traffic log and Threat log are showing the traffic originated from different zones and interfaces
-
Configure Packet Capture matching the source and destination IP address seen in Logs (Filter and Capture):
-
From the Command Line Interface prompt, issue "show counter global filter packet-filter yes delta yes" command multiple times and look for flow_dos_pf_ipspoof counter with drop severity:
admin@PaloAlto> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 1.132 seconds
name value rate severity category aspect description
------------------------------------------------------------------------------
flow_dos_pf_ipspoof 1 0 drop flow dos Packets dropped: Zone protection option 'discard-ip-spoof
-
Review the transmit packet:
-
Review the receive packet:
Note: MAC address of source IP is being modified by peer's device.
-
To resolve the issue, investigate the peer device with the MAC address that is showing in the receive packet. On a Spoofed packet, the MAC address / IP address combination is different from the actual MAC / IP.
Additional Information
Getting Started - Packet Capture