topic Re: Apply Policies to a subnet in General Topics

Apply Policies to a subnet

msgroup — Wed, 13 Dec 2017 00:01:13 GMT

Hi,

New here so I hope this is right spot for this question.

I have a router from an ISP that is giving a public /28 subnet out its lan port. (Nat off)

I can't easily replace the device for a couple of reasons.

I wish to run the traffic from this through my PA so I can apply policies to the other devices I will place on this subnet.

A Virtual Wire would work but wouldn't give me any layer 3 control - as I understand it.

I tried a ingress and egress interface in a test virtual router but this can't work because the subnets overlap.

Any ideas?

Thanks

Peter

Re: Apply Policies to a subnet

BrianRa — Wed, 13 Dec 2017 00:24:43 GMT

You could put all the devices behind the PAN and NAT them through it. Put all the public IPs on the firewall and use rules for incoming traffic.

Definately not the only option but it would be a good way of controlling all the traffic. This would require:

* Security Policies

* NAT Policies

* Internal & External Zones

* Private IP subnet (DHCP or no)

Internet <--> Vendor Router <--> PAN <--> Servers/hardware

Brian

Re: Apply Policies to a subnet

msgroup — Wed, 13 Dec 2017 00:35:34 GMT

HI thanks for the reply.

Didn't really want to go down the NAT path as some of the devices will use IPSEC.

Some don't of course and those are the ones you really need to monitor.

Agreed though NAT would make the job simple.

Peter

Re: Apply Policies to a subnet

BPry — Wed, 13 Dec 2017 15:46:55 GMT

@msgroup,

If done properly there isn't any reason why you wouldn't be able to setup the DHCP to hand out the available public IPs, and then setup a couple layer2 interfaces on the PA to actually gain all of the functionality of the firewall. NAT would really be the best solution however, and if you setup a NAT policy properly I've never really had an issue with IPSec tunnels.

Re: Apply Policies to a subnet

BrianRa — Wed, 13 Dec 2017 16:57:01 GMT

I believe when using NAT and IPSEC Tunnels we needed to do PBFs (Policy Based Forward). That may have been our environment as not everything was in the Virtual Routers default routes (you could probably put everything there?).

It is probably possible to use the firewall as the gateway for the rest of the public IPs (creating rules that way) and just hand them out but I think the return route will be a problem as the ISP gateway is in the same subnet and will want to send return traffic directly to the devices. BPry is probably right about using firewall interfaces (or a switch off of one of the interfaces) and passing the traffic through the firewall and setting up Security Policies based on the IPs. I have not played with this however.

Brian

Re: Apply Policies to a subnet

msgroup — Wed, 13 Dec 2017 21:33:56 GMT

Thanks for the replies.

Looks like Nat. Policy Forwarding Rules are probaby a good idea anyway. It least it not production yet so I can play.

I don't anticipate any real issue just though there may have been a simple more elegant solution I hadn't seen.

Peter

Re: Apply Policies to a subnet

BrianRa — Thu, 14 Dec 2017 00:52:54 GMT

NAT has worked well for us. You may not need to use PBFs if you put everything in the VS default routes. Its the Security Policies and the NAT Policies that will be required.

Good luck with the project.

Brian