https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313438#M80932 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;,</P><P>&nbsp;</P><P><SPAN>I am talking about intrazone rule which allows traffic between same zone like outside to outside but not outside to inside.</SPAN><BR /><BR /><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83320" target="_blank">@JoergSchuetter</A><SPAN>&nbsp;Intrazone default will not allow traffic from outside to inside zone for sure.</SPAN><BR /><BR /><SPAN>Mayur</SPAN></P> Fri, 28 Feb 2020 05:20:17 GMT SutareMayur 2020-02-28T05:20:17Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313329#M80916 <P>Hello,</P><P>&nbsp;</P><P>I would like some advice on Palo Alto's default intrazone-default rule.&nbsp; Unless I have a drop any any above this rule I see IP's from all over the public internet hitting my Palo Alto and being accepted on the intrazone rule as the traffic is from zone outside to zone inside.&nbsp;</P><P>&nbsp;</P><P>I want all of these random public IP's to be blocked and not accepted by the firewall.&nbsp; In one of the training modules I went through it was mentioned that adding a drop any rule above the default rule could make the firewall not function correctly and legitimate traffic may be dropped that is needed.</P><P>&nbsp;</P><P>What is the best practice on this.&nbsp; What are others doing, adding a drop any any, or letting the intrazone-default accept traffic on the outside interface?&nbsp;</P> Thu, 27 Feb 2020 15:28:02 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313329#M80916 mjensen40400 2020-02-27T15:28:02Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313337#M80918 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/131513">@mjensen40400</a>&nbsp;</P><P>In the post-rules (managing the firewalls via Panorama), we drop traffic from the Internet. Traffic from inside gets rejected (to let the client know that the connection is not possible, instead of letting it wait for a timeout). We don't use of the pre-defined interzone-default and intrazone-default rules, all traffic is denied at the end.</P><P>The policies which grant the necessary traffic is places in the pre-rules (in other words: above the post-rules / the deny rules). Access to the firewall itself (e.g. Global Protect Portal, ...) needs to be granted explicit.</P><P>Summary: all allow rules are placed in the pre-rules, all deny rules are placed in the post-rules.</P> Thu, 27 Feb 2020 16:01:53 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313337#M80918 JoergSchuetter 2020-02-27T16:01:53Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313340#M80920 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83320">@JoergSchuetter</a>,</P><P>&nbsp;</P><P>If you put any any blocked rule above default rules, it will block legitimate traffic like traffic between trust-to-trust or LAN-to-LAN as you have kept any-to-any zone blocked and this rule will get matched before default rule.</P><P>&nbsp;</P><P>Best Practice would be -</P><P>&nbsp;</P><P>If you want to block traffic from untrust-to-untrust which is getting matched due to intrazone default allowed, put one rule at the end like,</P><P>SZONE untraust -to- DZONE untrust --drop</P><P>&nbsp;</P><P>So unwanted traffic which is getting matched currently&nbsp; will get dropped.&nbsp; But if you have any IPSEC tunnel configured on this firewall, please make sure you add explicit policy above this rule to match communication between peer IP addresses as it uses default intrazone policy normally.</P><P>This way, you can block unwanted traffic which is getting allowed currently without creating any impact on legitimate traffic.</P><P>&nbsp;</P><P>Hope it helps!</P><P>&nbsp;</P><P>Mayur</P> Thu, 27 Feb 2020 16:21:25 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313340#M80920 SutareMayur 2020-02-27T16:21:25Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313342#M80921 <P>Hmmm... not sure if I am reading your thread correctly but the intrazone-default policy will not allow traffic from zone outside to zone inside.</P><P>&nbsp;</P><P>But of course... i have read it so many times... I may have confused myself.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Feb 2020 16:33:19 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313342#M80921 Mick_Ball 2020-02-27T16:33:19Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313438#M80932 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;,</P><P>&nbsp;</P><P><SPAN>I am talking about intrazone rule which allows traffic between same zone like outside to outside but not outside to inside.</SPAN><BR /><BR /><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83320" target="_blank">@JoergSchuetter</A><SPAN>&nbsp;Intrazone default will not allow traffic from outside to inside zone for sure.</SPAN><BR /><BR /><SPAN>Mayur</SPAN></P> Fri, 28 Feb 2020 05:20:17 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/313438#M80932 SutareMayur 2020-02-28T05:20:17Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/615868#M121869 <P>Hello All,<BR />Any solution for this?<BR />Thankyou</P> Thu, 31 Oct 2024 13:30:48 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/615868#M121869 JeanPaul222 2024-10-31T13:30:48Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/615875#M121871 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1035429259">@JeanPaul222</a>&nbsp;wrote:<BR /> <P>Hello All,<BR />Any solution for this?<BR />Thankyou</P> <HR /></BLOCKQUOTE> <P>A solution for what?&nbsp; Can you cite specific on what you're looking for?&nbsp; The earlier comments in this almost 5 year old thread didn't always follow the right logic of "intra" and "inter."&nbsp; By sharing the specific details of what you're trying to solve that would be easier to provide a response.</P> Thu, 31 Oct 2024 16:19:34 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/615875#M121871 Brandon_Wertz 2024-10-31T16:19:34Z https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/616271#M121940 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1035429259">@JeanPaul222</a> ,</P> <P>&nbsp;</P> <P>Are you asking if PANW has a recommendation for the intrazone-default rule?&nbsp; Not that I know.&nbsp; The NGFW will drop packets if it is not listening on the TCP/UDP port.&nbsp; It will not allow pings if not enabled in the interface management profile.</P> <P>&nbsp;</P> <P>Like some others, I desire a little more protection.&nbsp; I create a universal drop rule from the outside.&nbsp; It is VERY important to make sure you have allow rules for L2L VPNs, GlobalProtect, BGP, etc. before doing this.</P> <P>&nbsp;</P> <P>Here is a thread where an engineer recommends changing the intrazone-default rule to deny, and he makes some valid points.&nbsp; <A href="https://live.paloaltonetworks.com/t5/next-generation-firewall/should-i-override-the-intrazone-default-to-deny/td-p/581801" target="_blank">https://live.paloaltonetworks.com/t5/next-generation-firewall/should-i-override-the-intrazone-default-to-deny/td-p/581801</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 06 Nov 2024 18:14:13 GMT https://live.paloaltonetworks.com/t5/general-topics/intrazone-default-rule/m-p/616271#M121940 TomYoung 2024-11-06T18:14:13Z