https://live.paloaltonetworks.com/t5/general-topics/trust-and-untrust-on-same-interface/m-p/192871#M57895 <P>I am pretty new to the Palo Alto's so I have a questions that will be pretty easy to answer.</P><P>&nbsp;</P><P>I am setting up a PA-820 in Virtual Wire and we have both Trusted and Untrusted networks on the same interface from the router.&nbsp; The External interface is the route to the internet but is also the route to all our branches through GRE Tunnels.&nbsp; What would be the best way to setup secuirty policies that protect against internet traffic but allow the 10.0.0.0 network.&nbsp;&nbsp;</P> Fri, 22 Dec 2017 14:45:27 GMT Nathan.Gooding 2017-12-22T14:45:27Z https://live.paloaltonetworks.com/t5/general-topics/trust-and-untrust-on-same-interface/m-p/192871#M57895 <P>I am pretty new to the Palo Alto's so I have a questions that will be pretty easy to answer.</P><P>&nbsp;</P><P>I am setting up a PA-820 in Virtual Wire and we have both Trusted and Untrusted networks on the same interface from the router.&nbsp; The External interface is the route to the internet but is also the route to all our branches through GRE Tunnels.&nbsp; What would be the best way to setup secuirty policies that protect against internet traffic but allow the 10.0.0.0 network.&nbsp;&nbsp;</P> Fri, 22 Dec 2017 14:45:27 GMT https://live.paloaltonetworks.com/t5/general-topics/trust-and-untrust-on-same-interface/m-p/192871#M57895 Nathan.Gooding 2017-12-22T14:45:27Z https://live.paloaltonetworks.com/t5/general-topics/trust-and-untrust-on-same-interface/m-p/192900#M57900 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/79606">@Nathan.Gooding</a>,</P><P>Interesting. You won't be able to seperate them into logical zones then, since you can only put one zone on an interface.&nbsp;</P><P>I imagine that you would simply be more strict between source/destination addresses than someone who could simply specify a zone, and that you'll likely use a pretty fair amount of the negate option. Any policy that you make for protecting against outside connections you could negate the 10.0.0.0/8 network so that those policies simply wouldn't apply to anything within that range.&nbsp;</P> Fri, 22 Dec 2017 16:21:22 GMT https://live.paloaltonetworks.com/t5/general-topics/trust-and-untrust-on-same-interface/m-p/192900#M57900 BPry 2017-12-22T16:21:22Z https://live.paloaltonetworks.com/t5/general-topics/trust-and-untrust-on-same-interface/m-p/193510#M58006 <P>Are your GRE tunnels going through some WAN connection or concentrator?</P> <P>If your environment is on managed switches you could set the internet to one VLAN and your GRE output to another, then create tagged sub-interfaces for your vwire. Each sub-interface can have it's own zone, so you'd be able to do just that (then bridge the vlans behind your vwire)</P> <P>&nbsp;</P> <P>You could also switch to a layer2 layout and have the firewall act as a switch rather than a router or a tube. You'd be able to put each of your 3 areas in a layer2 zone and bridge them all and apply security policies between the zones</P> <P>&nbsp;</P> <P>If your GRE tunnels are terminated behind the firewall on the inside (it's not clear where you are terminating the tunnels) you can simply allow GRE from untrust to trust and/or trust to untrust</P> <P>&nbsp;</P> <P>otherwise <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>'s solution is the way to go: differentiate between anything with 10.0.0.0 negated, or specifically for source/destination 10.0.0.0</P> Tue, 02 Jan 2018 14:55:47 GMT https://live.paloaltonetworks.com/t5/general-topics/trust-and-untrust-on-same-interface/m-p/193510#M58006 reaper 2018-01-02T14:55:47Z