https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6751#M4949 <HTML><HEAD></HEAD><BODY><P>thnak's for your help </P></BODY></HTML> Tue, 19 Feb 2013 08:33:29 GMT atelcom 2013-02-19T08:33:29Z https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6747#M4945 <HTML><HEAD></HEAD><BODY><P>HI all,</P><P></P><P>when we deploy the paloalto firewall in vwire mode and we have multiple zones (system zone, application zone, bdd zone), can we create rules to permit traffic between these zones through pan firewall ??</P><P></P><P>thank's in advance</P></BODY></HTML> Sun, 17 Feb 2013 10:54:26 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6747#M4945 atelcom 2013-02-17T10:54:26Z https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6748#M4946 <HTML><HEAD></HEAD><BODY><P>You can configure rules to allow/deny traffic between V-wire zones. You can also make use of other features like anti-virus filtering, url filtering, NAT and almost every other feature done by regular L3-traffic. </P><P></P><P>Here are some documents that can help you with Vwire config.</P><P></P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1165">How to Configure Virtual Wire (VWire)</A></P><P><A href="https://live.paloaltonetworks.com/videos/1005"> Video Link : 1005</A></P><P><A __default_attr="2729" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P></P><P>Thanks,</P><P>Sandeep T</P></BODY></HTML> Sun, 17 Feb 2013 16:47:57 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6748#M4946 sdurga 2013-02-17T16:47:57Z https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6749#M4947 <HTML><HEAD></HEAD><BODY><P>To further add to Sandeep's answer. If you are only using vwire you will only control access between the zones defined in the vwire interfaces that are part of the same vwire object. </P><P>So if you had ethernet1/1 and ethernet1/8 in a pair, which are defined as Trust and Untrust respectively, then you could create a security policy to control traffic from Trust to Untrust or from Untrust to Trust. A security policy from Trust to DMZ would never be hit as it's not possible for the PAN to forward the traffic to the DMZ zone.</P><P></P><P>If however you are using V5.0 you can implement vwire sub-interfaces which allows you to put a VLAN into a vwire sub-interface and thus put it into it's own zone which means you then have to create a policy to allow the traffic.</P><P>So if we created a vwire sub-interface on ethernet1/8 which had the zone of DMZ, then we could configure a policy to control traffic from Trust to Untrust and another from Trust to DMZ.</P><P></P><P>Hope that makes things a bit clearer.</P></BODY></HTML> Mon, 18 Feb 2013 08:51:14 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6749#M4947 SCoupland 2013-02-18T08:51:14Z https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6750#M4948 <HTML><HEAD></HEAD><BODY><P>thank's for your reply </P></BODY></HTML> Tue, 19 Feb 2013 08:33:06 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6750#M4948 atelcom 2013-02-19T08:33:06Z https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6751#M4949 <HTML><HEAD></HEAD><BODY><P>thnak's for your help </P></BODY></HTML> Tue, 19 Feb 2013 08:33:29 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-policies/m-p/6751#M4949 atelcom 2013-02-19T08:33:29Z