topic Re: Looking for some rule guidance in General Topics

Looking for some rule guidance

John_Braswell — Wed, 30 Aug 2017 17:54:35 GMT

Hello all,

I'm trying to get some access restricted to a few subnets that fall into our /16 range that we currently have in our Palo. The way it would look is we would have 2 subnets smack in the middle of the /16 that we only want to allow access to a handful of hosts in that subnet, yet block everything else in that range. To explain it clearer, we currently have access from our DC servers to all the subnets contained within a superset of 192.168.0.0/16. That means the DC's can get to all hosts behind this range and do what they need to. It's been determined that a couple of /24's need to have access restricted to them, say the 192.168.2.0/24, and 192.168.100.0/24 range, allowing the DC's to access a few hosts in those ranges excluding the remainder of hosts in 192.168.2.0, and 192.168.100.0. Everything else would remain the same. The way I've figured to do it is to clone the rule and do some subnetting that allows that same access, but carves around the 192.168.2.0, and 192.168.100.0 subnets, except those hosts in those ranges. Would that be how you guys tackle that, or is there a cleaner way to do it that I'm not thinking of? Any guidance is appreciated, thank you!

Re: Looking for some rule guidance

BPry — Wed, 30 Aug 2017 18:00:34 GMT

@John_Braswell,

Before we start looking at the rule are you even sure it'll work and would actually traverse the firewall. Depending on your larger network configuration this may not function regardless of what security policies you make.

Re: Looking for some rule guidance

John_Braswell — Wed, 30 Aug 2017 18:07:20 GMT

Yes, I'm sure it would. The firewall is the gateway for the DC's and they reach out to other subnets, the /16 is subnetted into several dozen networks, all in different security zones and even across different geographical locations. As far as working, it *should*, but I'm not certain it will.

Re: Looking for some rule guidance

John_Braswell — Wed, 30 Aug 2017 18:55:04 GMT

And the answer was right in my face. The subnets I need to exclude are in the same security zone, so I can make a rule the specifically says talk to these hosts in that zone, then a general rule that calls all of my other zones, without the zone in the previous rule, and that should kill the unwanted access. Sometimes it helps to just talkit out. Thanks everybody!!