topic Re: multiple VLANs on one security zone - possible? in General Topics

multiple VLANs on one security zone - possible?

_slv_ — Tue, 16 Jul 2013 08:12:31 GMT

I need your help with one (probably simple for You problem).

I have PA200 but I have only one "free" security zone and one phisical interfece free.

I need to create 4 local networks (as a subinterfaces/VLAN) that every one has their own adresses, dhcp server, NAT policy to their own IP.

Intervlan traffic shouldn't be allowed.

Is it possible? Until now I do always one security zone per one network ...

With regards

Slawek

Re: multiple VLANs on one security zone - possible?

UhMayYeah — Tue, 16 Jul 2013 08:44:52 GMT

You can create L3 sub-interfaces and assign them IP subnets ,Zones and create NAT and Security rules.

For reference Page 99 :

Re: multiple VLANs on one security zone - possible?

VinceM — Tue, 16 Jul 2013 09:24:50 GMT

Also look:

https://live.paloaltonetworks.com/docs/DOC-1805

https://live.paloaltonetworks.com/docs/DOC-2781

Re: multiple VLANs on one security zone - possible?

_slv_ — Fri, 19 Jul 2013 10:21:42 GMT

I was stuck with one thing, one of this local networks must have Captive Portal on it.

I can connect proper profile to interface for CP but the CP policy I need to bind to whole Security Zone. I can do exclussions - but is it a good idea?

I doubt, and I would like to ask you whether it is good that I am doing

Regards

Slawek

Re: multiple VLANs on one security zone - possible?

VinceM — Fri, 19 Jul 2013 10:36:20 GMT

Hi,

No profile for CP but Captiv Portal Policy 🙂 then no issue

Re: multiple VLANs on one security zone - possible?

UhMayYeah — Fri, 19 Jul 2013 18:23:27 GMT

You can create a specific Captive Portal rule based on Source IP subnets .

No-CP rules can be created for IPs that do not need CP ,for granularity if certain IPs need exclusion from CP in an address space.

Additionally ,User-Identification Include (/Exclude) ACLs could be created ,if Zone has multiple interfaces/Subnets ,to filter the IP spaces that need (/dont need) User Id via CP.

HTH

Re: multiple VLANs on one security zone - possible?

_slv_ — Tue, 23 Jul 2013 11:47:33 GMT

Hello

I stuck with configurations .... help me please. My config look like:

Computer connected to VLAN 210 is able to get IP address from DHCP server (got 192.168.210.2) but is unable to ping gateway in this network (192.168.210.1). Of course it can't ping 8.8.8.8 too

Why?

It's doesnt matter that "any" or "unknown" is chooses in security policy "Other_LAN - internet" - computer cant reach internet or gateway.

User identyfiaction is enabled on "Other_LAN" because I have to do Captive Portal on 192.168.3.0 network (and only on this network)

Computer connected to VLAN 210,230,240 getting IP from DHCP (can't ping gateway), but connected to vlan 250 doesn't even getting IP from DHCP server.

Slawek

Re: multiple VLANs on one security zone - possible?

UhMayYeah — Tue, 23 Jul 2013 13:12:04 GMT

Computer connected to VLAN 210 is able to get IP address from DHCP server (got 192.168.210.2) but is unable to ping gateway in this network (192.168.210.1).

Could be getting blocked by the rule deny-rest.Configure a rule above deny-rest rule between zones Other_LAN to Other_LAN to allow this traffic.

Of course it can't ping 8.8.8.8 too

Can you check the Source NAT rule,Shouldn't the Innie siece zone be replaced by OTHER_LAN zone ?

Re: multiple VLANs on one security zone - possible?

craymond — Tue, 23 Jul 2013 15:27:24 GMT

Computer connected to VLAN 210,230,240 getting IP from DHCP (can't ping gateway), but connected to vlan 250 doesn't even getting IP from DHCP server.

A: You don't have it enabled. It shows as disabled.

As Nadir said, your NAT rules need to be from the correct source zone.

Re: multiple VLANs on one security zone - possible?

_slv_ — Wed, 24 Jul 2013 06:52:48 GMT

Yes - the traffic was blocked by deny-rest rule.

I added policy from Other_LAN to Other_LAN and now I can ping gateway of network where is locted computer. BUT also I can ping other VLAN gateways!! - that's not good.

Is it a solution for "clever" blocking traffic from ie. vlan250 to every other. At the moment I have 4 networks on Other_LAN interface so I had to 4^2 rules of blocking traffic - is it a solution to do it a bit smarter?

Every of this subinterfaces/networks must be separated, and allow only traffic to the internet (exept for DHCP/DNS/CP).

Sorry for my english ... I hope that you are understand what I want to achieve.

Craymond - you are right, it was disbaled - it's my fault - thx

Regards

Slawek

Re: multiple VLANs on one security zone - possible?

_slv_ — Wed, 24 Jul 2013 08:20:47 GMT

I have another problems with computer in 192.168.3.x network.

I can't see CaptivePortal, my browser isn't redirected (even when I add rule that allow traffic to it's IP (192.168.110.1) - rule "SCH-CP" - but I can ping it by IP address or name.

I changed dns servers from google dns to my local dns serwers for every of my local network - just for unifications.

so the problem is in NAT (I can't see errors in configuration, picture from yesterday has polish name of Other_LAN - so it's confusing you) - configurations is similar to my others NAT.

when I try ping google.pl I see traffic that passes rule "Other_LAN - DNS" but my computer dosn't resolve name to it's IP.

I can't ping or browse internet on every LAN on Other_LAN security zone.

I don't understand what is going here, I have 7 other LANs on my PAN device (every has their own security zone) and everyting is working as I expected. When I started to configure 4 LANs on one security zone something is going creazy ...

Please explain me why I need to allow traffic from Other_LAN to Other_LAN to bo able to ping gateways when without such security rule I was able to get IP from DHCP server??

Help me please

Regards

Slawek

Re: multiple VLANs on one security zone - possible?

UhMayYeah — Wed, 24 Jul 2013 08:40:21 GMT

By default firewall allows ,Intra-Zone traffic.So you can ping all hosts in Other_LAN to hosts in Other_LAN by default if you dont have deny-rest Rule.You can either create separate Zone for each VLAN.

Having deny-rest rule would warrant creation of specific allow rules from Other LAN to any zone.

Suggestions : You can alter the deny rest to specific zones instead of any. eg Other Zone to Untrust.

Re: multiple VLANs on one security zone - possible?

UhMayYeah — Wed, 24 Jul 2013 08:45:03 GMT

"so the problem is in NAT (I can't see errors in configuration, picture from yesterday has polish name of Other_LAN - so it's confusing you) - configurations is similar to my others NAT."

Check if you have a zone named inne sieci configured.I dont think Zone names would be translated.

Change "Inne sieci" in NAT config to Other_LAN

Re: multiple VLANs on one security zone - possible?

_slv_ — Wed, 24 Jul 2013 08:58:38 GMT

it's done today morning, now it's looks like:

Re: multiple VLANs on one security zone - possible?

UhMayYeah — Wed, 24 Jul 2013 09:19:55 GMT

What do you see in the traffic logs for the outbound traffic failing ?

Can you include additional columns in the traffic log eg : NAT Source IP,Packets sent Packets received etc.

Do you have Default route defined ?

Can try to include the Interface in the Source NAT rule instead of the translated address.

Re: multiple VLANs on one security zone - possible?

_slv_ — Wed, 24 Jul 2013 10:25:34 GMT

admin@PA-200> show routing route

VIRTUAL ROUTER: rtr_ign (id 3)

==========

destination nexthop metric flags age interface next-AS

0.0.0.0/0 XXX.XXX.XXX.XXX 10 A S ethernet1/1

[..........]

192.168.3.0/24 192.168.3.1 0 A C ethernet1/3.250

192.168.3.1/32 0.0.0.0 0 A H

192.168.210.0/24 192.168.210.1 0 A C ethernet1/3.1

192.168.210.1/32 0.0.0.0 0 A H

192.168.230.0/24 192.168.230.1 0 A C ethernet1/3.2

192.168.230.1/32 0.0.0.0 0 A H

192.168.240.0/24 192.168.240.1 0 A C ethernet1/3.3

192.168.240.1/32 0.0.0.0 0 A H

>Can try to include the Interface in the Source NAT rule instead of the translated address.

I dont understnd correctly - I think

I change to:

But i still can't ping from 192.168.3.x to 8.8.8.8

Re: multiple VLANs on one security zone - possible?

_slv_ — Wed, 24 Jul 2013 11:01:04 GMT

Finally I found my mistake ...

After I add "/0" I can reach internet from every LAN (even CP is working too).

So I have to isolate traffic of every network - please give me advice hot to do that.

I wouldn't create a lot of policies like:

192.168.3.0/24 to 192.168.210.0/24 deny

192.168.3.0/24 to 192.168.230.0/24 deny

192.168.3.0/24 to 192.168.240.0/24 deny

and again

192.168.210.0/24 to 192.168.30.0/24 deny

Is it possible to do it in other way?

Regards

Slawek

Re: multiple VLANs on one security zone - possible?

craymond — Wed, 24 Jul 2013 13:15:15 GMT

If you are really trying to isolate the traffic from each subnet, you should really be creating separate zones for each one. You would just add the new zones to the outbound NAT rule and NAT policy.

Re: multiple VLANs on one security zone - possible?

_slv_ — Thu, 25 Jul 2013 06:29:01 GMT

I know ... but I have PA200 and I have only one security zone free ... so I have to make configuration as good as possible in this situation.

This 4 networks will have couple computers, but must be separataed.

Regards

Slawek

Re: multiple VLANs on one security zone - possible?

craymond — Thu, 25 Jul 2013 13:11:03 GMT

Sorry - I forgot the limitation on a 200 is 10 Zones. Unless you want to move the vlans to a layer 3 switch and use ACLs or don't enable forwarding, I think the only viable alternative would be to create the deny policies on the PAN.