topic Policies with any zone in source and destination in General Topics

Policies with any zone in source and destination

Vikram511 — Fri, 29 May 2020 12:40:44 GMT

While migrating from checkpoint to Palo Alto after defining zones and interface.

Can I simply use any in source and destination zone and create policies with specific objects in source/destination address.

Will it work, for replicating same policies while migrating from checkpoint to Palo Alto.

Re: Policies with any zone in source and destination

shawnhafen — Fri, 29 May 2020 16:37:04 GMT

You can do that, however I would recommend scoping the policies down as much as you can. We also migrated from CP and ended up with some pretty silly policies that had to be tuned. each column in the policy is going to strengthen your security stance so the more the merrier I say!

instead of using any any in the zones I would recommend putting each zone that needs that traffic in there, this will also prevent you from unintentionally allowing any zones that are added later you may not want to allow for said policies.

Re: Policies with any zone in source and destination

BPry — Fri, 29 May 2020 17:36:59 GMT

@Vikram511,

I'm a huge fan of actually never using 'any' for a zone in the rulebase. That can cause issues down the road as you expand your use of zones and grant unknown additional access that you probably didn't intend for. Best to always specify the zones individually.