Block Private IP Spoofing Incoming on External Interface

itCOdtQ

We have been seeing some traffic from spoofed internal private IP addresses coming from the external interface connected to the internet on our firewall. Is there a way to create a policy to block the private IP ranges from coming in on only an external interface?

Bruce_Briggs

Those packets are already being blocked.
If you goal is to prevent them from actually getting to your external interface, then you can't.

If you just don't want to see the spoofing log message, then you can clear the Drop Spoofing Attacks check box in Default Packet Handling - which would potentially allow the packet if it matches some incoming policy.
Then you could add an Any packet filter From: the private subnets To: Firebox, and set it to not log if you don't want to see the denied log messages for these. Make sure that this policy is at or near the top of your policy list.