topic Re: security policy between layer 2 zones in General Topics

security policy between layer 2 zones

LionKin1984 — Tue, 10 Dec 2019 15:21:25 GMT

Hi, I am new to Palo Alto, so this might be a dumb question, below is the setup I have been trying to get it to work -

two layer2 zones; Zone1 and Zone2
three PCs, PC1; PC2 and PC3
PC1 in Zone1
PC2 and PC3 are in Zone2
all three PCs are on the same subnet

question: I am trying to create a security policy to only allow PC1 to talk to PC2, and deny everything else

is it doable?

Thanks

Re: security policy between layer 2 zones

S.Cantwell — Tue, 10 Dec 2019 16:23:14 GMT

Not a dumb question at all... let's review some info, and set expectations.

PC1 is in Zone1.

PC2 is in Zone2

You did not mention at what layer (VWire, Layer2, or Layer3 interface) you are doing your routing (if any)

If all PCs are plugged into a switch (downstream from FW), then the switch will intercept the arps and the FW will not be an inspection point.

You can plug PC1 physically into a port assigned to Zone1 (and do the same for PC2, assigned to Zone2) and now, the firewall would inspect traffic between both PCs.

Ideally... PC1 in Zone1, should be a different subnet than PC2/PC3, so that the FW is the default gateway (at L3) to route and inspect/allow traffic to PC2 and deny traffic to PC3.

To summarize, the FW must see the traffic ingressing to the Zone1.

Re: security policy between layer 2 zones

LionKin1984 — Wed, 11 Dec 2019 08:48:05 GMT

Hi Steve, thanks for you reply, we cant change the IP addresses of the devices hence we have to use layer2 ...

There are two Cisco switches:

Switch 1, where all PCs are connected to, two VLANs created on this switch: -

PC1 is in VLAN10
PC2 and PC3 are in VLAN20

Aggregation Switch

VLAN10 and VLAN20 are ‘Trunked’ to the aggregation switch.

Access ports are used to connect aggregation switch to the firewall

Two Layer 2 interfaces created on the firewall (one for VLAN10, one for VLAN20)

Two Layer 2 zones created on the firewall

One VLAN created on the firewall and both Layer 2 interfaces are in this VLAN

Security policy (universal) created and worked between two Layer 2 zones but everything can talk to everything between zones which is no what I want, I only want PC1 to talk to PC2 and deny everything else

Please find attach image for reference.

Thanks

Re: security policy between layer 2 zones

S.Cantwell — Wed, 11 Dec 2019 18:53:38 GMT

Hello

Your issue is that you created a single vlan on the FW, and associated both interfaces to that vlan.

The put the zones into the same vlan.

You should create 2 vlans on the FW and put vlan10 in PC1 zone, and vlan20 onto PC2

Re: security policy between layer 2 zones

LionKin1984 — Thu, 12 Dec 2019 08:17:00 GMT

Hi Steve, I have created two VLANs and a layer 2 security policy on the firewall, now they cant ping each other ...

Re: security policy between layer 2 zones

S.Cantwell — Thu, 12 Dec 2019 21:19:03 GMT

Hello.

Making progress though right? 😛 Not really.

I think I realized that I isolated you now, with vlan10 and vlan20 not being able forward arp/broadcast traffic.

So... back to original idea of 2 ports in a single L2 vlan on the FW.

So if PC1 is on port1 and PC2 is on port2 (both ports in same vlan on FW) then the following should happen.

PC1 attempts to ping PC2.

Not knowing his L2 mac address, he will arp out (broadcast)

Traffic ingress switch, egresses out the trunk port.

Aggregation switch should fwd (untagged tag) packet to port1 of FW.

FW will/should allow broadcast to go out port2 and reverse down trunk to PC2.

Once arp resolution is determined, then security policy should be something like like

SZ (fw_vlan) SA (PC1) ==> to DZ (fw_vlan) DA (PC2) ==> app of ping ==> application-default a ==> ALLOW

next rule is

SZ (fw_vlan) SA (PC1) ==> to DZ (fw_vlan) DA (ANY) ==> ANY ==> ANY ==> DENY

If you missed this rule, then the intrazone rule is what you hit and allowed you to ping PC3

This may be exactly what you had (and I would apologize for going down a rabbit hole... 😛

You would need to look at your traffic log to see/confirm that the traffic from PC1 is hitting PC2 and also confirm.if traffic is passing and then denying for PC1 to PC3 traffic.

Let us know.

Re: security policy between layer 2 zones

LionKin1984 — Fri, 13 Dec 2019 08:55:42 GMT

Thanks again for you reply Steve, that makes lot of sense.

with your help, i have managed to get it sorted, i created the rules as you suggested and also created three 'objects', however i messed up with the mask when creating the network object (instead of 10.10.10.1/32 I put it down as 10.10.10.1/24 (whole subnet...), school boy error I know)

Thanks