topic Re: block IP's in same zone in General Topics

block IP's in same zone

jdprovine — Tue, 02 Oct 2018 12:37:37 GMT

Is it possible or practical to block traffic between two server in the same firewall zone by designating the source IP from the server you want to block access to the server to the destination server indicated by IP

Re: block IP's in same zone

rmfalconer — Tue, 02 Oct 2018 13:21:55 GMT

If the traffic is passingg through the firewall while staying in the same zone, you could create an intrazone policy to block the traffic. Are the servers on different subnets and in the same zone?

Re: block IP's in same zone

jdprovine — Tue, 02 Oct 2018 13:29:06 GMT

@rmfalconer

Different subnet same zones, that is why I thought I could name the source IP range that I didn't not want to have access to the specific IP's of the server I don't want them to have access to or from

Re: block IP's in same zone

rmfalconer — Tue, 02 Oct 2018 14:48:22 GMT

As long as the traffic between these hosts passes through the firewall, then you should be able to create an intrazone rule to deny whatever you need.

Re: block IP's in same zone

jdprovine — Wed, 03 Oct 2018 16:17:35 GMT

@rmfalconer @reaper @BPry

How do you have to configure an intrazone rule?

Re: block IP's in same zone

OtakarKlier — Wed, 03 Oct 2018 16:43:28 GMT

Hello,

It would look something like this:

(source zone) (source IP) (destination zone) (destination IP)

This way since they are different subnets and have to use the PAN as a gateway, you can create secutiy policies to distinguish traffic. I do this due to the amount of zones a PAN can have. This way I create one zone and subnet it out and use source and destination subnets.

Hope that makes sense.

Re: block IP's in same zone

jdprovine — Wed, 03 Oct 2018 16:58:56 GMT

@OtakarKlier

Yes that makes sense I thought I did that but I can still ping the server that I am trying to block access too

Re: block IP's in same zone

rmfalconer — Wed, 03 Oct 2018 17:21:21 GMT

When you create the policy, make sure the type is 'intrazone'. Once you select the source zone, the destination zone selection is disabled.

Re: block IP's in same zone

jdprovine — Wed, 03 Oct 2018 17:59:17 GMT

@rmfalconer

Where do you choose intrazone?

Re: block IP's in same zone

rmfalconer — Wed, 03 Oct 2018 18:05:38 GMT

Re: block IP's in same zone

jdprovine — Wed, 03 Oct 2018 18:55:33 GMT

@rmfalconer @OtakarKlier @reaper

Do you have to be very specific? like

source - server 1 10.10.10.10

Source zone - myhouse

destination - server 2 10.10.189.16

destination zone - myhouse

And have you used this on your firewall? Also I if I read this correctly that if I have the rule type set to universal,which I do, it should cover both interzone and intrazone

Re: block IP's in same zone

BPry — Wed, 03 Oct 2018 20:33:47 GMT

@jdprovine,

It's essentially built out exactly the same as you would a normal security policy, the 'to' and 'from' are just going to be exactly the same.

You can leave the rule type as universal or set it to intrazone, both would function the same.

Re: block IP's in same zone

jdprovine — Wed, 03 Oct 2018 20:36:50 GMT

@BPry

From what read I was under the same impression. i guess i could move my server to another security zone but thats not assurrance either without making sure of how everything is routed and aggregated etc

Re: block IP's in same zone

OtakarKlier — Thu, 04 Oct 2018 16:00:06 GMT

Hello @jdprovine,

As for the IP's, no they do not have to be specific if you dont want then to be. I have a zone called DMZ, then I carve out subnets out of it. Since I have a DENY ALL rule before the built in allow intra zone traffic, it will automatically be blocked and then I can chose what is allowed to talk to what. So instead of using specific IP's you can use Subnets.

source zone = DMZ

source IP = 192.168.55.0/29

destination zone = DMZ

destination IP = 192.168.55.96/29

Hope that makes sense.

Re: block IP's in same zone

RobinClayton — Mon, 08 Oct 2018 11:43:11 GMT

Just checking.... But the server Default gateways are the firewall not something else?

Re: block IP's in same zone

jdprovine — Mon, 08 Oct 2018 12:42:11 GMT

No the servers would have gateways associated with the vlan that they reside in

Re: block IP's in same zone

RobinClayton — Mon, 08 Oct 2018 13:12:48 GMT

So the gateway for each vlan is not the firewall.

What is the gateway device

Re: block IP's in same zone

jdprovine — Mon, 08 Oct 2018 13:19:10 GMT

No why would that gateway be on the firewall? The gateway would be a router

Re: block IP's in same zone

RobinClayton — Mon, 08 Oct 2018 13:20:53 GMT

So does the router know about both vlans? and do the routing for both vlans?

Rob

Re: block IP's in same zone

jdprovine — Mon, 08 Oct 2018 13:25:59 GMT

Yes the routing it set up for the vlan I am talking about. So what does this have to do with blocking the IP's on the firewall?