https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325664#M83046 <P>The Interzone default acts as a "cleanup" rule for traffic <STRONG>between</STRONG> zones.&nbsp; You should still set logging on it to capture that traffic in logs.&nbsp;&nbsp;</P><P>&nbsp;</P><P>The intrazone rule is for traffic between the <STRONG>same</STRONG> zone and is a default ALLOW.&nbsp; So inside-inside or outside-outside.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Generally, a cleanup rule isn't required, but as with all things, there is likely a use case out there.&nbsp;</P> Fri, 01 May 2020 15:18:36 GMT gelgin 2020-05-01T15:18:36Z https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325583#M83027 <P>Do you recommend creating a cleanup rule (last rule to deny any any) in PA? As far as I know, PA firewalls only allow traffic explicitly defined, and the last DENY is a built in "known rule"…correct?</P><P>&nbsp;</P><P>or will the interzone policy take care of this?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 30 Apr 2020 22:19:15 GMT https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325583#M83027 Retired Member 2020-04-30T22:19:15Z https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325585#M83028 <P>The whole thinking of having a "Clean Up" rule usually is for testing or for logging.&nbsp;</P> <P>There may be other ways you can gather the same information,, but that is why you would want to have one.</P> Thu, 30 Apr 2020 22:24:12 GMT https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325585#M83028 jdelio 2020-04-30T22:24:12Z https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325589#M83029 <P><SPAN>PA firewalls only allow traffic explicitly defined, and the last DENY is a built in "known rule"…<U><STRONG>correct</STRONG></U>?</SPAN></P> Thu, 30 Apr 2020 22:28:25 GMT https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325589#M83029 Retired Member 2020-04-30T22:28:25Z https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325664#M83046 <P>The Interzone default acts as a "cleanup" rule for traffic <STRONG>between</STRONG> zones.&nbsp; You should still set logging on it to capture that traffic in logs.&nbsp;&nbsp;</P><P>&nbsp;</P><P>The intrazone rule is for traffic between the <STRONG>same</STRONG> zone and is a default ALLOW.&nbsp; So inside-inside or outside-outside.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Generally, a cleanup rule isn't required, but as with all things, there is likely a use case out there.&nbsp;</P> Fri, 01 May 2020 15:18:36 GMT https://live.paloaltonetworks.com/t5/general-topics/cleanup-rule/m-p/325664#M83046 gelgin 2020-05-01T15:18:36Z