topic DMZ with multiple VLANs, multiple Zones? in General Topics

DMZ with multiple VLANs, multiple Zones?

jambulo — Fri, 17 Aug 2018 23:34:38 GMT

If you have a DMZ behind the Palo and it contains multiple VLANs or sub-interfaces, would you create multiple Zones(one for each VLAN)? Or create a single "DMZ" zone and apply that to all of the VLANs?

Re: DMZ with multiple VLANs, multiple Zones?

Remo — Sat, 18 Aug 2018 10:37:32 GMT

Hi @jambulo

There is no simple answer for your question. It depends ...

Are the subnets equal to each other?
Will you generally allow traffic between the subnets?
Are the subnets contain different group of servers? (One subnet for linux and one for windows for example)
Do you plan to configure generic zone firewallrules or do you configure specific rules for each server?

Re: DMZ with multiple VLANs, multiple Zones?

OtakarKlier — Tue, 21 Aug 2018 17:40:05 GMT

Hello,

I agree with @Remo. The way I do it is use one zone and then create policies around the vlan subnets. This way I dont run out of zones and can keep the traffic highly segregated. This is also because I have an implicite DENY ALL at the end of my rules so the built in intra-zone traffic rules doesnt apply and traffic is denied by policy.

Hope that makes sense.

Re: DMZ with multiple VLANs, multiple Zones?

jambulo — Tue, 21 Aug 2018 17:52:49 GMT

Are the subnets equal to each other?
- Not sure what you mean.
Will you generally allow traffic between the subnets?
- Generally will not allow traffic between subnets.
Are the subnets contain different group of servers? (One subnet for linux and one for windows for example)
- Subnets can contain different types of servers, but mainly are separated by the functions that the servers provide.
Do you plan to configure generic zone firewallrules or do you configure specific rules for each server?
- Specific rules for each server.

Re: DMZ with multiple VLANs, multiple Zones?

Remo — Tue, 21 Aug 2018 23:26:08 GMT

@jambulo wrote:
Are the subnets equal to each other?
Not sure what you mean.

I meant if these subnets are all the same and the only reason you have more than one is mabe because one /24 isn't big enough, so you created a second. But as you wrote you want to group the servers based on their functions.

Depending on the number of subnets and the hardware you are using, I would create one zone per vlan/subnet. As you group the servers by their functions this would fit perfectly into the zonenames so you have a better overview in the ruleset.

If you have more than 40 subnets and you are using a PA-3020, then you have to go the way with one zone where you drop intrazone traffic, but in case you have a PA-5220 or even bigger then the number of zones will probably not be a limit in any way.