Listen to this Post
When Spoofed IP Address is enabled, the Palo Alto firewall performs a reverse route lookup to verify if the source IP belongs to the same zone as the ingress interface. It only checks zone consistency, not interface-level matching.
When Strict IP Address Check is enabled, the firewall enforces two conditions:
1. It drops packets if the source/destination IP matches any of the following:
– Network interface address
– Broadcast address
– Loopback address
– Link-local address
– Unspecified/reserved addresses
2. It performs a reverse route lookup, requiring the source IP to be routable via the ingress interface (interface-level check).
Packet-Based Attacks Protection
Zone Protection profiles inspect and mitigate threats by:
- Dropping malformed packets (IP, TCP, ICMP, IPv6, ICMPv6).
- Stripping harmful options before admitting traffic.
Reconnaissance Protection
Defends against port scans and host sweeps by detecting and blocking network probing attempts.
You Should Know: Palo Alto Firewall Commands and Practical Configurations
1. Enable Spoofed IP Protection
set zone-protection-profile <profile_name> spoofed-ip enable
2. Enable Strict IP Check
set zone-protection-profile <profile_name> strict-ip-check enable
3. Configure Reconnaissance Protection
set zone-protection-profile <profile_name> recon enable set zone-protection-profile <profile_name> recon scan-threshold 5000
4. Verify Zone Protection Settings
show zone-protection-profile <profile_name>
5. Block Reserved IP Ranges
set zone-protection-profile <profile_name> strict-ip-check block-reserved-ip enable
6. Log Dropped Packets
set zone-protection-profile <profile_name> log-setting <log_setting_name>
7. Apply Zone Protection to a Zone
set zone <zone_name> zone-protection-profile <profile_name>
8. Check Traffic Logs for Drops
show log traffic filter drop yes
What Undercode Say
Palo Alto’s Zone Protection is critical for mitigating spoofing, reconnaissance, and packet-based attacks. Key takeaways:
– Spoofed IP Check: Zone-level verification.
– Strict IP Check: Interface-level + reserved IP blocking.
– Recon Protection: Threshold-based scan detection.
Always test profiles in Log-only mode before enforcement. Combine with Security Policies for layered defense.
Expected Output:
admin@PA-Firewall> show zone-protection-profile Corporate_Profile spoofed-ip: enabled strict-ip-check: enabled recon: enabled (threshold: 5000) log-setting: Alerts
For deeper analysis, use:
show logging-threat discriminator field msg_id eq 7010
References: Palo Alto Zone Protection Docs
References:
Reported By: Sidhardha Koppolu – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
