https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222121#M63892 <P>Nice pop from Mr Reaper...</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/Intrazone-Rules/m-p/147789#M49440" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/Intrazone-Rules/m-p/147789#M49440</A></P> Fri, 13 Jul 2018 04:58:10 GMT Mick_Ball 2018-07-13T04:58:10Z https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222112#M63889 <P>Trying to use a Security policy with type intrazone and action is Deny (any application &amp; service).</P><P>Target is to block all communication within the same zone (subnet). Such as ping, file share (smb), ftp, etc.</P><P>The layer3 interface and the computers were connected to a unmanaged switch.</P><P>&nbsp;</P><P>But the outcome is only the gateway (layer3 interface) cannot be contact. All the computers can still comunicate with each other.</P><P>&nbsp;</P> Fri, 13 Jul 2018 02:05:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222112#M63889 jeremylo 2018-07-13T02:05:45Z https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222120#M63891 <P>Your devices are on the same broadcast domain so they do not need to pass through the PA interface to communicate with each other.</P><P>&nbsp;</P><P>search this site for “intrazone”.&nbsp;</P> Fri, 13 Jul 2018 04:55:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222120#M63891 Mick_Ball 2018-07-13T04:55:32Z https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222121#M63892 <P>Nice pop from Mr Reaper...</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/Intrazone-Rules/m-p/147789#M49440" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/Intrazone-Rules/m-p/147789#M49440</A></P> Fri, 13 Jul 2018 04:58:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222121#M63892 Mick_Ball 2018-07-13T04:58:10Z https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222239#M63925 <P>Hosts on the same subnet&nbsp;never see the firewall.</P><P>&nbsp;</P><P>Intrazone&nbsp;seperates different subnets from each other, and requires that the firewall is the Gateway for these subnets.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 13 Jul 2018 15:27:51 GMT https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222239#M63925 RobinClayton 2018-07-13T15:27:51Z https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222254#M63926 <P>You could segregate traffic within the same subnet using L2 or vwire interfaces and inspect the traffic using intra-zone rules.</P> Fri, 13 Jul 2018 16:12:17 GMT https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222254#M63926 JoeAndreini 2018-07-13T16:12:17Z https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222338#M63950 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83021">@JoeAndreini</a>&nbsp;wrote:<BR /><P>You could segregate traffic within the same subnet using L2 or vwire interfaces and inspect the traffic using intra-zone rules.</P><HR /></BLOCKQUOTE><P>Hello JoeAndreini,</P><P>This seems impractical. I'll have huge workload to assign each computer to has its own L2 interface.</P> Mon, 16 Jul 2018 01:35:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-security-policy-intrazone-works/m-p/222338#M63950 jeremylo 2018-07-16T01:35:03Z