topic Re: Creating Zones (Sub-Zones) on PA-500 in General Topics

Creating Zones (Sub-Zones) on PA-500

kalyanram.piratla — Mon, 06 Feb 2012 16:31:59 GMT

Hello,

This question might sound very stupid, but never mind:

I have a PA-500 configured which does a specific job which does layer 3 and that requires creating a lot of zones in-order to differentiate the traffic ( as per my understanding, zones are defined for differentiating between traffic. If my thinking is wrong, please correct me).

Since the PA-500 can only have 20 zones and I already have 18 zones configured ( i would need more than this over the year), I was just wondering if there was any way in increasing this number by creating sub-zones (like creating sub-interfaces).

Or any sorts of work around....

Thanks...

Re: Creating Zones (Sub-Zones) on PA-500

rmonvon — Mon, 06 Feb 2012 17:14:42 GMT

Hi...Zones are used to define your network boundary and not necessary to differentiate traffic. For example, separating users from server farm, inside vs outside vs dmz. For multiple vlans where each vlan is an IP subnet for users, you can put all vlans on the same zone because they all are users. Same goes for servers. You may have some smtp servers, dns servers, & file servers and you can group them together under 1 zone. Then you define security policies to control traffic between your users and your servers.

Re: Creating Zones (Sub-Zones) on PA-500

kalyanram.piratla — Tue, 07 Feb 2012 16:04:05 GMT

Thanks for the reply. It was useful, but the only problem I would face is, the zones for me define a customer's boundary or network. It does not necessarily mean different VLANs for me as they are completely different networks and are external. It looks like:

Client -> A

Interface -> ethernet 1/6.1001

Source Zone -> Internal

Destination Zone -> A zone

IP Address -> 2.0.0.1/27

Client -> B

Interface -> ethernet 1/6.1002

Source zone -> Internal

Destination Zone -> B Zone

IP Address -> 128.x.x.x/24

Based on this, I will be creating zones for all the clients I register which would run in quite a few numbers. I can only see replacing the PA with a router or a layer 3 switch do pass the traffic onto their networks.

Any Thoughts..??

Thanks..

Regards,

Re: Creating Zones (Sub-Zones) on PA-500

mtetzlaff — Tue, 07 Feb 2012 23:33:48 GMT

Why not create zone for 'clients', or more broadly lump them into 'untrust' depending on which network interface the clients are behind. If the clients are all external off the internet then go with 'untrust'.

Then create address book definitions per client in the appropriate zone (ex. 'clients' or 'untrust'):

client-a-net = 2.0.0.0/27

client-b-net = 128.x.x.x/24

Then in your security policy permit the desired traffic to the zone and destination as appropriate.

Seems like it would work.

Re: Creating Zones (Sub-Zones) on PA-500

mikand — Tue, 07 Feb 2012 23:55:33 GMT

I think thats the more common way of using zones.

The zone is just the description of the "interface" (no matter if the interface is physical such as EthernetX/Y or logical such as VLAN123). So instead of using "ethernet1.6/200" or "vlan123" you bring this interface a useful name such as "Internet".

Which gives that your security rules looks like

src zone: Internet

dst zone: DMZ-DNS

instead of

src interface: Ethernet1.6/200

dst interface: Ethernet1.3/104

And then use address objects and address groups to further make your security rules easier to interpret when you are staring at them.

Like (already mentioned):

client-a-net = 2.0.0.0/27

client-b-net = 128.x.x.x/24

with group:

client-internet = client-a-net, client-b-net

And your security rule becomes:

srczone: Internet

src ip: client-internet

src port: >1023

dstzone: DMZ-DNS

dst ip: dns-servers

dst port: specific (TCP53, UDP53)

appid: dns

profile: PROFILEGROUP_BLOCK

action: allow

Re: Creating Zones (Sub-Zones) on PA-500

kalyanram.piratla — Wed, 08 Feb 2012 10:13:41 GMT

Many thanks for your thoughts Guys. I will trying doing this in a couple of days time to add in a new customer. Will get back to you guys on this..

So, this is how I would go around configuring it (EXAMPLE):

1. Source Zone: Internal

2. Destination Zone: External

3. Create Layer 3 Sub-Interface: ethernet 1/6.1010 with an ip address 1.1.1.1

4. Add an Address object: 1.1.1.1 -> Client A

5. Create a Security rule: From Internal zone (Any source address) -> to External Zone with Destination Address of Client A (pulled from address object) -> any application, any service, no profiles ( as it is basically allowing routing traffic from our Wireless Controller)

Cheers...

Re: Creating Zones (Sub-Zones) on PA-500

mikand — Thu, 09 Feb 2012 08:29:30 GMT

You will need a 2.5: Connect zone to (physical or logical) interface.

And personally I would apply a protection profile even for the wireless users 🙂

Re: Creating Zones (Sub-Zones) on PA-500

kalyanram.piratla — Thu, 09 Feb 2012 09:26:34 GMT

Oh yes, connecting the zone to physical or logical interface. With respect to security profiles, we have another firewall doing filtering as this Palo Alto in question is doing content filtering on virtual wire mode for internal users and L3 routing.