https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/177710#M55392 <P>I usually block trust to untrust RFC1918.</P><P>Although ISP routers drop it anyway I like to keep it clean.</P><P>It is really common for many applications like Skype for example to scan internal ranges for peers.</P> Tue, 19 Sep 2017 20:52:10 GMT Raido_Rattameister 2017-09-19T20:52:10Z https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/177700#M55391 <P>Basic trust to untrust policy I see internal address sending snmp to addresses like 10.0.0.1, 192.168.1.x.</P><P>&nbsp;</P><P>Do people create a policy to block internal traffic going to RFC1918 on the untrusted interface?</P> Tue, 19 Sep 2017 20:28:00 GMT https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/177700#M55391 s.williams1 2017-09-19T20:28:00Z https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/177710#M55392 <P>I usually block trust to untrust RFC1918.</P><P>Although ISP routers drop it anyway I like to keep it clean.</P><P>It is really common for many applications like Skype for example to scan internal ranges for peers.</P> Tue, 19 Sep 2017 20:52:10 GMT https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/177710#M55392 Raido_Rattameister 2017-09-19T20:52:10Z https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/524298#M108490 <P>Do you have the one line policy.</P> <P>&nbsp;</P> <P>Trust to untrust&nbsp; ( the builtin PAN addresses appear confusing.</P> <P>&nbsp;</P> <P>TrRUST or INSIDE zones</P> <P>ANY</P> <P>UNTRUST&nbsp;&nbsp;</P> <UL> <LI><SPAN>10.0.0.0</SPAN><SPAN>&nbsp;</SPAN><SPAN>–</SPAN><SPAN>&nbsp;</SPAN><SPAN>10.255.255.255&nbsp; (10/8 prefix)</SPAN></LI> <LI><SPAN>172.16.0.0</SPAN><SPAN>&nbsp;</SPAN><SPAN>–</SPAN><SPAN>&nbsp;</SPAN><SPAN>172.31.255.255&nbsp; (172.16/12 prefix)</SPAN></LI> <LI><SPAN>192.168.0.0</SPAN><SPAN>&nbsp;</SPAN><SPAN>–</SPAN><SPAN>&nbsp;</SPAN><SPAN>192.168.255.255 (192.168/16 prefix)</SPAN></LI> </UL> <P><SPAN>Action Block/deny</SPAN></P> <P>This is&nbsp; the first policy I believe</P> Thu, 15 Dec 2022 22:11:19 GMT https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/524298#M108490 JimDeMayo 2022-12-15T22:11:19Z https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/524887#M108580 <P>Hello,</P> <P>If you follow a DENY ALL allow by exception methodology, just put a DENY ALL policy at the bottom of the Security Policies. This way only traffic that you 'allow' is allowed to go between zones, etc.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 22 Dec 2022 19:52:12 GMT https://live.paloaltonetworks.com/t5/general-topics/rfc1918/m-p/524887#M108580 OtakarKlier 2022-12-22T19:52:12Z