topic Re: Firewall between host and gateway in General Topics

Firewall between host and gateway

epeeler — Tue, 24 Mar 2015 16:43:56 GMT

Sorry if this is really basic but...

I have configuration where, we've added a gateway to a subnet that we only want one host to be able to access to get offsite. The gateway is on the other side of a vwire in the same subnet space obviously but in a different zone on the firewall. We're only allowing inbound connections from a client on the other side of this gateway into the subnet. No hosts in the subnet would be initiating connections to the client.

My question is, since the FW is between the host and it's gateway, do I need a rule for the host inside the network to be able to arp for the gateway through the firewall and vice versa?

Or to make the question more generic I guess, do I need a rule to allow two hosts on the same subnet but separated by a vwire in different zones to be able to arp before a L3 connection gets established?

Thanks in advance.

Re: Firewall between host and gateway

rrajendran — Tue, 24 Mar 2015 18:32:12 GMT

Hi epeeler,

Yes. If the vwire zones are placed in different zones (trust and untrust), then you will require policy to allow the traffic to reach your gateway from host.

Regards,

Ramya

Re: Firewall between host and gateway

epeeler — Tue, 24 Mar 2015 19:23:51 GMT

Thanks Ramya,

What's the best way to restrict traffic to only arp? I don't want the two machines to do anything other than pass ethernet frames between each other.

Re: Firewall between host and gateway

rrajendran — Tue, 24 Mar 2015 23:06:56 GMT

Hi,

As per my knowledge, there isn't a way to restrict just the ARP traffic.

Regards,

Ramya

Re: Firewall between host and gateway

jsu2 — Thu, 14 May 2015 21:52:46 GMT

Yeah, it doesn't look like PanOS knows about ARP. We are attempting a similar configuration with the PA in Layer 2 configuration. It's not obvious how to create a policy that allows ARP to traverse the firewall.

Re: Firewall between host and gateway

epeeler — Fri, 15 May 2015 13:23:40 GMT

I ended up not needing any specific rule for ARP. It just worked. The host is able to ARP for the gateway's IP address and respond to the allowed inbound L3 traffic from outside the firewall.

Re: Firewall between host and gateway

jsu2 — Fri, 15 May 2015 21:43:39 GMT

Thanks for the quick feedback. If link layer traffic is allowed to pass between security zones without policy in Vwire, then it should do the same in Layer 2 config.