topic Re: Is Zone Protection on Shared Gateways Supported in General Topics

Is Zone Protection on Shared Gateways Supported

CHammock — Fri, 24 Nov 2017 17:03:02 GMT

I have a question regarding Zone Protection on Zones in a shared gateway. Is it supported. When I try and configure it it seems to be valid configuration. However as a shared gateway does not generate logs where do the the ZP logs go? Also when I run the command "show zone-protection zone ?" the SG zones do no show in the list so I can't collect stats for the zone protection.

I did try applying zone protection to the external zone which connects to the SG but this gave a commit warning saying something about syn-cookie not supported. Also in my mind this would apply zone protection too late for it to be affective.

Re: Is Zone Protection on Shared Gateways Supported

Remo — Sun, 26 Nov 2017 12:55:37 GMT

Hi @CHammock

It is supported ... with some limitations (as you already saw in the commit warning)

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-network-profiles-zone-protection/building-blocks-of-zone-protection-profiles#id463e1210-c858-4712-8d34-66b5fb587c2e

Re: Is Zone Protection on Shared Gateways Supported

CHammock — Mon, 27 Nov 2017 11:20:19 GMT

Thanks for the response. The link at least clears up the question of External Zone Support in VSYS, however are you able to confirm the qestion of if Zone protection profiles are supported on Layer3 Zones assigned to Shared Gateways? If so where would you find the logs?

Re: Is Zone Protection on Shared Gateways Supported

Remo — Mon, 27 Nov 2017 11:43:25 GMT

I haven't any shared gateway configured on our firewalls. But the logs should be in the thread log if you have assigned a Log forwarding profile to the zone.

And in the Monitor tab you probably have to select all virtual systems to view these logs, as they are not assigned to specific vsys

Re: Is Zone Protection on Shared Gateways Supported

CHammock — Tue, 28 Nov 2017 09:46:43 GMT

Just to clarify my questions were based on a design I am putting forward but in the end I decide to lab the functionality to be sure.

I have just tested this in the lab and have found the below

1. As vsys_remo suggested when you assign a zone protection profile to a zone in an SG it will log to the threat log if you change the Virtual System drop down to all. I have to say I didn't expect this but it is a pleasent suprise. Obviously a Log Forwarding profile is only needed if you wish to forward those logs to an external log device like syslog.

2. The other thing I discovered regarding my point of the "show zone-protection" command. If you use "show zone-protection zone {zonename}" you will only be able to filter based on zones which belong to a VSYS not an SG, however if you just run the command "show zone-protection" it will list all the zone-protection states including those from the SG zones.

Many Thanks to vsys_remo for the guidance.