When configuring firewall settings, particularly in a Zone Protection profile on Palo Alto Networks (PAN-OS), it’s important to understand the difference between the “Spoofed IP Address” check and the “Strict IP Address” check. This post explains the behavior of each and how they work in conjunction.
Spoofed IP Address Check
How it Works
When the Spoofed IP Address check is enabled, the firewall performs a reverse route lookup for the source IP of incoming packets. This check is performed during the slow path processing stage of the firewall, a stage of packet processing that handles exceptions, or packets that don’t match any pre-existing session and require more intensive CPU processing.
Why is it important?
This check is crucial in preventing IP address spoofing, where an attacker forges the source IP address in the packet’s header to disguise its origin.
Example Log
Here’s an example of a debug log entry that indicates a packet has been dropped due to IP spoofing:
Packet received at slowpath stage... IP: 20.20.20.1->10.10.10.2... Packet dropped, IP spoof on interface ethernet1/3
Strict IP Address Check
How it Works
On the other hand, when the Strict IP Address Check is enabled, the firewall performs validations on the incoming packet at the ingress stage. This is the initial phase when a packet first enters the firewall, making preliminary decisions before deeper inspections or modifications. The firewall performs two validations on the incoming packet and will drop it if either condition fails:
1. It verifies if the source or destination IP addresses match any particular addresses such as network interface address, broadcast address, loopback address, link-local address, unspecified address, or reserved for future use.
2. Similar to the Spoofed IP Address Check, it performs a reverse route lookup for the source IP, but in this case, the source IP must be routable over the ingress interface itself. This means it checks on the interface level rather than the zone level.
Unlike the Spoofed IP Address Check, the Strict IP Address Check is performed at the ingress stage.
Why is it important?
This check is essential in ensuring packets have valid IP addresses corresponding to the network topology. It helps maintain the integrity and authenticity of the traffic flowing through the firewall.
Example Log
Here’s an example of a debug log entry that indicates a packet has been dropped due to strict IP address checking:
Packet received at ingress stage... IP: 20.20.20.1->10.10.10.2... Packet dropped, zone protection triggered on interface ethernet1/3
Using Both Checks Together
When both the “Spoofed IP Address” and “Strict IP Address” checks are enabled in Zone Protection, the “Strict IP Address” check takes precedence since it is performed at the ingress stage. If the packet fails the “Strict IP Address” check, it will be dropped immediately and not be subjected to the “Spoofed IP Address” check.
Summary
In summary, the Spoofed IP Address Check and Strict IP Address Check are two mechanisms that protect your network against malicious traffic. While the Spoofed IP Address Check helps prevent IP spoofing by checking if the source IP’s interface belongs to the same zone as the ingress interface, the Strict IP Address Check ensures that packets have valid IP addresses and are routable over the ingress interface. When both are enabled, Strict IP Address Check takes precedence.