https://live.paloaltonetworks.com/t5/general-topics/cisco-asa-to-palo-alto/m-p/321494#M82280 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101331">@SureshBalaji</a>&nbsp;Your security policy should not configure with any any. At least you should restrict policy for specific zones.</P><P>&nbsp;</P><P>I am fully agreed with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Apr 2020 11:43:16 GMT johnde 2020-04-08T11:43:16Z https://live.paloaltonetworks.com/t5/general-topics/cisco-asa-to-palo-alto/m-p/321372#M82256 <P>Hi Team, we recently migrated from cisco ASA to Palo Alto 3220, where for one of the policy in cisco ASA has "&nbsp;access-list inside-egress extended permit ip any any", And this access-list is attached to the access-group to the interface "inside". as you can see below.</P><P>"access-group inside-egress out interface inside"</P><P>as per my understanding from cisco perspective for this access group the traffic which egresses out of the interface named "inside", should evaluate the against the access-list "inside-egress". The following are the access-list related to inside-egress.&nbsp; &nbsp;</P><P>&nbsp;</P><P>access-list inside-egress extended permit icmp host 10.197.37.212 host 10.15.126.119<BR />access-list inside-egress extended permit tcp host 10.16.17.9 host 10.15.4.84 eq 5707 log interval 1<BR />access-list inside-egress extended permit ip any any</P><P>&nbsp;</P><P>When it is converted to Palo Alto, for the "&nbsp;access-list inside-egress extended permit ip any any"&nbsp; tool created a policy stating&nbsp;</P><P>Source zone - any, Source subnet- any to destination-subnet- any, destination-zone - "inside" with allow action.</P><P>&nbsp;</P><P>Basically anything from anywhere were allowed to inside zone (which is dangerous wide open policy).</P><P>&nbsp;</P><P>How we can rectify this, need your advise, for the access-group with "out" attached to the interface and having "permit ip any any" accesslist.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 07 Apr 2020 22:51:03 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-asa-to-palo-alto/m-p/321372#M82256 SureshBalaji 2020-04-07T22:51:03Z https://live.paloaltonetworks.com/t5/general-topics/cisco-asa-to-palo-alto/m-p/321487#M82276 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101331">@SureshBalaji</a></P><P>&nbsp;</P><P>First of all, you shouldn't allow anything coming any destination&nbsp; zone with source any. I would recommend you to go through the the networks those need to be allowed and allow required subnets only, that too with specific zones.&nbsp;</P><P>&nbsp;</P><P>Mayur&nbsp;</P> Wed, 08 Apr 2020 11:24:53 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-asa-to-palo-alto/m-p/321487#M82276 SutareMayur 2020-04-08T11:24:53Z https://live.paloaltonetworks.com/t5/general-topics/cisco-asa-to-palo-alto/m-p/321494#M82280 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101331">@SureshBalaji</a>&nbsp;Your security policy should not configure with any any. At least you should restrict policy for specific zones.</P><P>&nbsp;</P><P>I am fully agreed with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Apr 2020 11:43:16 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-asa-to-palo-alto/m-p/321494#M82280 johnde 2020-04-08T11:43:16Z