topic Re: PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps in Prisma Access Discussions

PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps

gcollins5 — Wed, 28 Aug 2024 09:23:06 GMT

Quick on for all you PRISMA SASE heads out there.

Finally getting stability on macOS (god bless GP version 6.2.3) .

Now it's time to harden up a little bit - easy to do with a firewall I manage but not sure of the ramification on PRISMA.

So,, Intrazone-Default is allowed by default and it get some farily nasty attacks on the untrust to unstrust interfaces.

Bearing in mind I use PROXY & SSLVPN what are the ramification of a untrust to untrust block .

I did ask TAC - same answer as always - if you not done it before then it's professional services. Rubbish !

Any help greatly appreciated,

Re: PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps

RSenra — Thu, 29 Aug 2024 17:59:12 GMT

Hi @gcollins5

If traffic matches no other rules, two default Security policy rules at the bottom of the rulebase automatically drop all traffic between different zones (interzone-default) and automatically allow all traffic between the same zone (intrazone-default). You can modify the interzone-default and intrazone-default rules to log traffic, apply threat inspection, etc. If you add a rule that denies all traffic earlier in the rulebase (local firewall rules or Panorama pre- and post-rules), no traffic matches the default rules.

For the ramification, you may deny traffic that is supposed to be allowed between untrust zones that didn't match any rules before it hits the default rule. Typically, if untrust to untrust traffic did not hit any rules, then technically it should be allowed. I believe TAC answered the way they did because they are not design experts and are cannot given configuration recommendations based on the design since they would be held accountable if something were to go wrong. PS has the skills required to give that recommendation and help as its their primary focus.

Re: PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps

gcollins5 — Fri, 30 Aug 2024 15:34:02 GMT

Thanks @RSenra

PS is ££££ which we just don't have so it will be trial and error .

Re: PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps

mmonette — Thu, 22 Jan 2026 17:40:16 GMT

Create a snippet in your prisma access scope, in the snippet, add a block all to all from all any any rule. It will go above the global intrazone-default and hit before any of the default global rules you're worried about. Nothing will hit the intrazone-default rule you're worried about anymore.

Re: PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps

laurence64 — Mon, 30 Mar 2026 05:06:26 GMT

Hi @gcollins5

I know this is a very very old thread now, but for info I would like to say that adding a default deny to the end of the rule base (before the default rules) is something I have always done, in the context of Prisma Access it would don't affect the SSL vpn as that traffic is handled by a different rule base that we cannot manipulate (with the exception of embargo rules) so as best practice I would drop all traffic and allow by exception.