https://live.paloaltonetworks.com/t5/prisma-access-discussions/blocking-traffic-initiated-from-trusted-zone-aws/m-p/566689#M628 <P>Hi,</P> <P>&nbsp;</P> <P>Looking for some guidance before I start going down the wrong route. We use Prisma SASE - Panorama managed. We have an STS VPN Connection (service connection) into our AWS Estate. We have a security policies allowing traffic from Trust to Trust.</P> <P>&nbsp;</P> <P>In the world of prisma all the mobile users and everything on the other end of the service connection are in the same zone.&nbsp;</P> <P>&nbsp;</P> <TABLE class="table colsep rowsep table-striped"> <TBODY class="tbody"> <TR class="row rowsep"> <TD class="entry"> <DIV> <DIV class="p"> <DIV>Trust</DIV> </DIV> </DIV> </TD> <TD class="entry relcol"> <DIV> <DIV class="p"> <DIV>Zone containing all trusted and on-boarded IP addresses, service connections, or mobile users within the corporate network.</DIV> </DIV> </DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>So in this case we allow traffic initiated from mobile users to our AWS estate and given these are stateful sessions the return traffic is allowed also . However I would like to block traffic initiated from the AWS estate to our mobile users , so for a basic example I'm happy for a mobile user to be able to ping a server in AWS , but I don't traffic initiated from the AWS Server to reach mobile users.</P> <P>&nbsp;</P> <P>My logic is that in the event a machine is compromised in AWS I don't want a bad actor to be able initiate connections to our mobile users.&nbsp;</P> <P>&nbsp;</P> <P>In my mind I would just create a deny policy specifying trust as the source and destination and then specify the AWS subnets as the source , is this the correct approach or is there a better way?</P> <P>&nbsp;</P> <P>Thank you!&nbsp;</P> <P>&nbsp;</P> Wed, 22 Nov 2023 11:55:55 GMT jbusby 2023-11-22T11:55:55Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/blocking-traffic-initiated-from-trusted-zone-aws/m-p/566689#M628 <P>Hi,</P> <P>&nbsp;</P> <P>Looking for some guidance before I start going down the wrong route. We use Prisma SASE - Panorama managed. We have an STS VPN Connection (service connection) into our AWS Estate. We have a security policies allowing traffic from Trust to Trust.</P> <P>&nbsp;</P> <P>In the world of prisma all the mobile users and everything on the other end of the service connection are in the same zone.&nbsp;</P> <P>&nbsp;</P> <TABLE class="table colsep rowsep table-striped"> <TBODY class="tbody"> <TR class="row rowsep"> <TD class="entry"> <DIV> <DIV class="p"> <DIV>Trust</DIV> </DIV> </DIV> </TD> <TD class="entry relcol"> <DIV> <DIV class="p"> <DIV>Zone containing all trusted and on-boarded IP addresses, service connections, or mobile users within the corporate network.</DIV> </DIV> </DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>So in this case we allow traffic initiated from mobile users to our AWS estate and given these are stateful sessions the return traffic is allowed also . However I would like to block traffic initiated from the AWS estate to our mobile users , so for a basic example I'm happy for a mobile user to be able to ping a server in AWS , but I don't traffic initiated from the AWS Server to reach mobile users.</P> <P>&nbsp;</P> <P>My logic is that in the event a machine is compromised in AWS I don't want a bad actor to be able initiate connections to our mobile users.&nbsp;</P> <P>&nbsp;</P> <P>In my mind I would just create a deny policy specifying trust as the source and destination and then specify the AWS subnets as the source , is this the correct approach or is there a better way?</P> <P>&nbsp;</P> <P>Thank you!&nbsp;</P> <P>&nbsp;</P> Wed, 22 Nov 2023 11:55:55 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/blocking-traffic-initiated-from-trusted-zone-aws/m-p/566689#M628 jbusby 2023-11-22T11:55:55Z