topic Shared Policy Zone Check in General Topics

Shared Policy Zone Check

CHammock — Tue, 25 Feb 2014 13:12:40 GMT

The Shared Policy option in Panorama is most useful, however I have found an issue with it which I think could be resolved in one of two ways, what I need to know is do either of these two ways exist?

Scenario

When using the Panorama Shared Policy to push single policy to three different FW layers I need to include the Source and Destination Zone of all three firewalls.

Below is an example of a single policy with the necisary source and destination zones. The firewall column is for referance only

Policy 1

Firewall Source Zone Destination Zone

Core Inside Outside

Perimeter Trust RemoteVPN

Remote HQVPN Internal

Issue

When pushing the above policy I get commit errors on all 3 firewalls for 4 of the zone not recognised.

As one of the FWs is a 5050 with 70 zones configured and one is a 3020 with a zone limit of 40 how can I remove this check or get the panorama to only push the zones that exist on the fw?

Solution

1. Is there an option to turn of the zone policy check on the FW?

2. Is there an option like Share Unused Address and Service Objects with Devices that I can check or uncheck so before sending the policy the panorama will check to see if the zone exists and if not remove the zone from the policy push?

I appriciate your input and any comments/workarounds from SEs as to if there are existing FRs for this issue?

Re: Shared Policy Zone Check

Phoenix — Tue, 25 Feb 2014 14:14:01 GMT

Hello CHammock

Have you tried to use the Target field in each security rule. In this field we only select those firewalls where the change is destined so that we are specifically making some changes to certain firewalls and some other changes to another set of devices so there is no commit errors for unknown zones.

Thanks

Re: Shared Policy Zone Check

CHammock — Tue, 25 Feb 2014 14:31:00 GMT

To clarify the example above is a single policy with three source zones and three destination zones pushed to three firewalls

I want this policy to push to all three firewalls, I need it to exist on all three firewalls as traffic will traverse all three firewalls. My issue is that the zones I define in the policy needs to exist before it will commit to the FWs. What I need is a way of either switching off the zone check during the commit process or something where by the panorama only pushes the zone names that exist on each firewall.

To try and clarify the topology.

If I want to get traffic from the Inside of the Core FW to the Internal on the Remote FW traffic flow will be.

1. Inside of the Core FW to Outside of the Core FW

2. Trust of the Perimeter FW to RemoteVPN of the Perimeter FW

3. HQVPN of the Remote FW to Internal of the Remote FW

This could be covered by a single shared policy as below, obviously I have omited ips, services and apps to avoid confusion

Policy 1

Source Zone Destination Zone

Inside Outside

Trust RemoteVPN

HQVPN Internal

Re: Shared Policy Zone Check

Phoenix — Tue, 25 Feb 2014 15:40:22 GMT

I see that all the zones are defined in single rule and this single rule is planned to be pushed to all firewalls.

At present this is not possible for the reason that the firewall expects a zone to be added only if it is defined locally else it gets the commit errors.

Out of the 2 solutions provided by you,

1. Is there an option to turn of the zone policy check on the FW?

A. I think this is not feasible as zones play major role in deciding traffic flow and action so zones will be checked.

A. This options seems interesting where panorama checks to see if the end firewall does not have the configured zones remove locally on panorama or may be the feature can be checked locally at firewall.

For this we can approach SE for feature request. That would be the best bet.

Thanks