topic Re: mail/dns/www/ftp server in DMZ - need advice in General Topics

mail/dns/www/ftp server in DMZ - need advice

_slv_ — Fri, 04 Oct 2013 15:49:43 GMT

Hello

I'm preparing to move my server that is mail/dns/www into DMZ zone. I did some tests and it seems to be working - but as good as I can test...

Do I should use application (dns,smtp,pop3,imap,ftp,web-browsing) or use a services on ports 53,25,110,21,80,465,993,995)?

What are you using and why?

My NAT rule:

My security policy:

I have of course U-turn policy to allow acces to this server from my local zones.

What about profiles?

I did one group for servers:

Is it make sens to scan trafficwith this all profiles?

Could someone share their policies - please?

I didn't see such topic in this forum and it could be very useful for every new PA user.

With regards

SLawek

Re: mail/dns/www/ftp server in DMZ - need advice

Phoenix — Fri, 04 Oct 2013 16:00:20 GMT

Hello Slv,

I would like to answer to the question about using apps or services. The advantages of using Apps is that the PAN would inspect the traffic at application layer and allows only those ports required by that application. ( We should select the service as "App-default" to allow only those ports what the app needs ). I see your security policy with apps and app default and that is the right way.

In regards to the group of profiles, that is used when there is a need to have same set of profiles for multiple security rules making configuration simpler and is completely fine. Rather than individually selecting the profiles for each security rule we can use a group. If needed to customize profiles then we can use profiles selectively.

Thanks

Re: mail/dns/www/ftp server in DMZ - need advice

_slv_ — Mon, 07 Oct 2013 18:00:45 GMT

Thats good that my polices are OK. But I scared that I missed some aplication ...

ie - I moved www server to DMZ few days ago, and I see that I have to add also new appliocations: rss, web-crawler. Until now I think that it should be in web-browing, but after I checked few times traffic logs for denied applications I realized that I'm wrong.

I agree with you about group of profiles. But is is correct to scan traffic using antivirus/anti-spyware/volnerability/data filtering? or maybe one of them is enought? every profile is taking some resources of PAN, and I'd like to use only that are nessasary.

p.s. - sorry for my bad english

Regards

SLawek

Re: mail/dns/www/ftp server in DMZ - need advice

msullivan — Tue, 08 Oct 2013 22:02:09 GMT

Hi SLV,

Since you're dealing with new policy, you might want to have a "lose deny" rule below the new one, that way you can verify that the traffic you want is matching and you can tune the deny rule as you see how it's going. So if you are certain you do not what to host FTP or SSH, add those to the deny rule, watch the monitor and add additional service to the allow or deny rule as needed. Once you think you have a stable policy, make the deny a 'deny all' rule and that should do it.

Mike