topic Re: Apply policy security on vlan in General Topics

Apply policy security on vlan

hamza_ineos — Tue, 07 Nov 2017 12:13:31 GMT

Hello

Plz i need ansewr as soon as possible, can i apply the security policy rule on vlans ? for exepmle let vlan 10 connect to facebook, but bloc facebook for vlan20 ??

Re: Apply policy security on vlan

DonohoeRobert — Tue, 07 Nov 2017 13:10:50 GMT

Hi Hamza,

Short answer is yes you can. Does the different vlans have different zones ?

If they do just apply the src zone as required in your rules.

If they don't can seperate it using an address object range if the vlans have different subnets.

ref :

here's a link of a guy setting up a pa-200, using vlans and rules for the vlan

https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-Up-the-PA-200-for-Home-and-Small-Office/ta-p/61838

here's a link for creating address range if no seperate zones for the vlans

https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-addresses

cheers

Rob

Re: Apply policy security on vlan

kiwi — Tue, 07 Nov 2017 13:11:28 GMT

Hi @hamza_ineos,

Yes you can.

Just use different zones per vlan and you can control your policies based on those zones.

The following getting started guides should be very helpful for you :

Getting-Started-Layer-2-Interfaces

Getting-Started-Layer-3-Subinterfaces

Cheers !

-Kiwi.

Re: Apply policy security on vlan

hamza_ineos — Tue, 07 Nov 2017 22:12:40 GMT

thank you very much brothers

i still have some questions plz, we have 2 scénarios in our deployment:

1-creating the vlan in PaloAlto firwall, and then manage it from the firewall.

2-or create the vlans on the cisco switch, in this case can the firwall apply the security rule on the vlans created in cisco switch ? (Important question).

witch of the this 2 sénarios is the best practice ??

plz if it's possible give me what the advantage/disadvantage of creating vlan on paloalto and not on cisco switch !!

and what the advantage/disadvantage of creating vlan on cisco switch and not on paloalto !!

Re: Apply policy security on vlan

kiwi — Wed, 08 Nov 2017 08:40:15 GMT

Hi @hamza_ineos,

Personally, I don't think it's a matter of which is best practice ...

Both are valid ways to configure. You'll just need to decide on a design that best fits your network and configure the firewall/switch accordingly.

Cheers !

-Kiwi.

Re: Apply policy security on vlan

hamza_ineos — Wed, 08 Nov 2017 09:09:12 GMT

thnk for you ansewr bro 🙂

Then if i create the vlans on the cisco switch, in this case can the firwall apply the security rule on the vlans created in cisco switch ?

Re: Apply policy security on vlan

kiwi — Wed, 08 Nov 2017 09:17:43 GMT

Hi @hamza_ineos,

Yes, you can use tags and zones for this.

It's explained in the 2nd link I posted earlier : Getting-Started-Layer-3-Subinterfaces

Cheers !

-Kiwi.

Re: Apply policy security on vlan

hamza_ineos — Wed, 08 Nov 2017 10:49:48 GMT

Hi @kiwi

Thank very much for help!

this tutorial is very nice, but i have a question, i see in the toturial that we must give an ip adresse for the vlan(in paloalto), this adresse ip is the same that i gave it to this vlan when i created in cisco switch ?

ex: i create a vlan10 on cisco switch with ip adresse: 10.1.1.1/24, then i must create a subinterface in palo alto with the tag 10, and the adresse ip : 10.1.1.1/24 ??

thanks a lot

Re: Apply policy security on vlan

hamza_ineos — Wed, 08 Nov 2017 15:17:23 GMT

where are you brother @kiwi , plz i need answer for my previous question

Re: Apply policy security on vlan

DonohoeRobert — Wed, 08 Nov 2017 21:48:32 GMT

Hi Mate,

someone asked a similiar question below here; [check out the comments at the bottom]

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-Subinterfaces/ta-p/67395

generally can always test it one way or the other if not sure. best way to learn aswell.

cheers

rob

Re: Apply policy security on vlan

hamza_ineos — Thu, 09 Nov 2017 10:11:28 GMT

thank you very much bro 🙂