https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206903#M60684 <P>yes there are many pages on this stuff...</P><P>&nbsp;</P><P>we opted for similar to <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>.</P><P>untrust to trust... drop</P><P>trust to untrust, mostly drop but with a few overlapping policy denies for specific hosts and users</P><P>&nbsp;</P><P>for trust to untrust diagnostics, deny (block all policy session start... not logging to paranormal) is a must, as and when required..</P><P>i prefer this to messing around with the default zone policies...</P> Thu, 22 Mar 2018 14:42:28 GMT Mick_Ball 2018-03-22T14:42:28Z https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206863#M60674 <P>I found some best practices documentation on the fuel group site and they recommend drop over deny.&nbsp; So I would be interested to see how people are configuring their fire wall more drops or denies and why?</P> Thu, 22 Mar 2018 13:24:07 GMT https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206863#M60674 jdprovine 2018-03-22T13:24:07Z https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206900#M60682 <P>A drop is silent, you simply discard the packet and don't tell anyone about it. This is great for most siatuations as you don't generate more traffic on your network and outsiders who may potentially be scanning you are non the wiser</P> <P>&nbsp;</P> <P>A deny sends a notification to the sender that something happened and their packet was rejected</P> <P>This could be helpful in providing a 'friendly' user experience as some applications will be able to pop up an error message telling the user their connection was rejected (instead of timing out, causing the user to have to wait and possibly keep trying), and tell applications to stop trying to connect.</P> <P>&nbsp;</P> <P>My inbound rules are all drop while my outbound ones are deny (for rules that only trigger on App-ID, eg. "block ftp", you can also pick from 'reset-client', 'reset-server' and 'reset-both' depending which ones are 'internal' and deserve a notification)</P> <P>&nbsp;</P> <P>I wrote a couple things regarding this, fyi:</P> <P><A href="https://live.paloaltonetworks.com/t5/Tutorials/Configurable-Deny-Action/ta-p/76613" target="_blank">https://live.paloaltonetworks.com/t5/Tutorials/Configurable-Deny-Action/ta-p/76613</A></P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-reset-server-reset-client-or-silent-drop/ta-p/77343" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-reset-server-reset-client-or-silent-drop/ta-p/77343</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Mar 2018 14:21:50 GMT https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206900#M60682 reaper 2018-03-22T14:21:50Z https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206902#M60683 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>Don't fear the reaper !! So I guess it good for load on your firewall and stretches the days of logs out but could reduce information</P> Thu, 22 Mar 2018 14:41:29 GMT https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206902#M60683 jdprovine 2018-03-22T14:41:29Z https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206903#M60684 <P>yes there are many pages on this stuff...</P><P>&nbsp;</P><P>we opted for similar to <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>.</P><P>untrust to trust... drop</P><P>trust to untrust, mostly drop but with a few overlapping policy denies for specific hosts and users</P><P>&nbsp;</P><P>for trust to untrust diagnostics, deny (block all policy session start... not logging to paranormal) is a must, as and when required..</P><P>i prefer this to messing around with the default zone policies...</P> Thu, 22 Mar 2018 14:42:28 GMT https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206903#M60684 Mick_Ball 2018-03-22T14:42:28Z https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206908#M60687 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a></P><P>Are you referring to the zone protection policies when you say default zone policies?</P> Thu, 22 Mar 2018 15:00:48 GMT https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206908#M60687 jdprovine 2018-03-22T15:00:48Z https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206910#M60689 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>..</P><P>&nbsp;</P><P>No sorry...</P><P>&nbsp;</P><P>the intrazone-default and interzone-default security policies .</P><P>you can overide these and enable logging but i prefer to use my own policy to "block all" from my test PC IP address.</P><P>&nbsp;</P><P>if i see any traffic using this policy, then i know one of the many above it is not working properly.</P><P>if you get my drift...</P> Thu, 22 Mar 2018 15:08:10 GMT https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206910#M60689 Mick_Ball 2018-03-22T15:08:10Z https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206961#M60717 <P>Great info as always&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P> Thu, 22 Mar 2018 18:01:10 GMT https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/m-p/206961#M60717 jdprovine 2018-03-22T18:01:10Z