topic Re: Deny the access to the servers in LAN zone in General Topics

Deny the access to the servers in LAN zone

RCHAIBI — Mon, 19 Oct 2015 19:08:26 GMT

Hello,

I need to restrict the access to a critical server in our company i the LAN zone . I add a security rule that restrict for exemple the address 192.18.1.25 to access to database server tht has the address 192.168.1.20 . I add a security rule from LAN to LAN with this address but the rstrection do't work!

How can i do this restriction ?

I will be appreciated for all helps 🙂

Re: Deny the access to the servers in LAN zone

Raido_Rattameister — Mon, 19 Oct 2015 19:14:45 GMT

Are those servers directly connected to Palo Alto firewall ports or there is switch between those servers and Palo?

If there is cable from Palo to switch and then cables from switch to both servers then servers talk directly through switch.

If those servers connect to diferent firewall ports then it is possible to get this setup working.

Re: Deny the access to the servers in LAN zone

gwesson — Mon, 19 Oct 2015 19:13:24 GMT

Did you mean that your client is 192.168.1.25? If so, then the client wouldn't even be passing through the firewall most likely. If your client and server are in the same subnet, such as 192.168.1.0/24, the client will ARP directly for the server. If both the server and the client are connected to the same switch (or can access each other via L2 only), there will be no routing.

Generally you would set up your clients and servers in different zones and on different subnets, so that you can control the traffic as it routes through the firewall.

Re: Deny the access to the servers in LAN zone

RCHAIBI — Mon, 19 Oct 2015 19:24:44 GMT

The eth 1/2 of PAN is configuredwith LAN zone and this interface is connected to the switch . Yes the servers and the clients PC are connected to the same swith . I need torestrict the access to of the uses to a servers that's located in the same subnet 192.168.1.0/24.

It's posibleto do this?

Re: Deny the access to the servers in LAN zone

Raido_Rattameister — Mon, 19 Oct 2015 19:30:28 GMT

It is possible but as mentioned before - in your case devices talk directly through the switch.

You have to configure it so that traffic passes firewall.

Either with diferent vlans (does your switch support them?) or with connecting diferent devices to diferent fw ports.

Re: Deny the access to the servers in LAN zone

RCHAIBI — Mon, 19 Oct 2015 19:45:51 GMT

So this case is only possible with te configuration of VLANS in PAN or in the switch ?

I found this article talk about the configuration of VLANs interfce in PAN : https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-Up-the-PA-200-for-Home-and-Small-Office/tac-p/61841/highlight/true

So if I like to confgure a VLANs in PAN ,I should do as mentioned n the article : config from L3 to L2

interface 1/1: WAN : L3

interface 1/2: LAN (interface VLAN 192 with address 192.168.1.0/24)

interface 1/3: Server zone with address (interfac VLAN 10 : 10.200.1.0/24)

Then I will relate the inter1/2 and iner1/3 to a separate switch . I will add then a access and Vroute in PAN that's te solution??

Re: Deny the access to the servers in LAN zone

Raido_Rattameister — Mon, 19 Oct 2015 21:06:01 GMT

Usually it is done like this:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Securing-Inter-VLAN-Traffic/ta-p/54749

But if you can't change IP's then do it with Layer 2 setup:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Layer-2-Networking/ta-p/57040

Screenshots are taken from older version but you should get the point.