https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377719#M89376 <P>Hello,</P> <P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;, keep it separate, that way you have more control as to who can do what. I would also keep the wired and wireless separate for the same reasons. Try to go with the smallest zero trust you can get away with. This will help prevent wide spread lateral movement and still control who has access to what resources.</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 04 Jan 2021 18:56:44 GMT OtakarKlier 2021-01-04T18:56:44Z https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377702#M89373 <P>Hello ,</P><P>&nbsp;</P><P>We have currently three diffent zones defined .</P><P>&nbsp;</P><P>Zone A vlan 100. For wired users&nbsp;</P><P>Zone B vlan 200 for wireless users&nbsp;</P><P>Zone V tunnel/ loopback interface for Global protect users.</P><P>&nbsp;</P><P>All the above users mentioned are corp users.</P><P>&nbsp;</P><P>Now customer wants to create. single zone called "All users" and want to put vlan 100 200 and loopback/ tunnel into it.</P><P>&nbsp;</P><P>Is it wise to use same zone for GP users ?</P><P>&nbsp;</P><P>Is it doable ? What are the challenges of we have a single common zone for user traffic ( wired+wireless+gp users )</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 04 Jan 2021 18:18:43 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377702#M89373 FWPalolearner 2021-01-04T18:18:43Z https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377716#M89374 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>&nbsp;wrote:<BR /> <P>Hello ,</P> <P>&nbsp;</P> <P>We have currently three diffent zones defined .</P> <P>&nbsp;</P> <P>Zone A vlan 100. For wired users&nbsp;</P> <P>Zone B vlan 200 for wireless users&nbsp;</P> <P>Zone V tunnel/ loopback interface for Global protect users.</P> <P>&nbsp;</P> <P>All the above users mentioned are corp users.</P> <P>&nbsp;</P> <P>Now customer wants to create. single zone called "All users" and want to put vlan 100 200 and loopback/ tunnel into it.</P> <P>&nbsp;</P> <P>Is it wise to use same zone for GP users ?</P> <P>&nbsp;</P> <P>Is it doable ? What are the challenges of we have a single common zone for user traffic ( wired+wireless+gp users )</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>In general a good security practice would be to keep remote / VPN users in a separate security zone.&nbsp; There would be some mitigating factors for not doing so like an "always-on" VPN, but still to ensure the most visibility it would be better to keep VPN users in a separate zone.</P> <P>&nbsp;</P> <P>It's very doable to have all in the same zone.&nbsp; You just need to weigh the various components of the reasons for keeping them separate.&nbsp; Functionally what's the benefit to have wired and wireless users that are internal in a separate zone?&nbsp; Are they a different user or business function?&nbsp; Personally I don't see the need to break out "on-prem" users into different zone, but there might be a logical reason to do so.</P> <P>&nbsp;</P> <P>For a VPN user there's more of a logical reason to keep those users/devices in a separate zone even if it's still a corporate owned device.</P> Mon, 04 Jan 2021 18:32:46 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377716#M89374 Brandon_Wertz 2021-01-04T18:32:46Z https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377718#M89375 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;.thanks.</P><P>&nbsp;</P><P>Wired and wireless are separate currently because of historical reasons .</P><P>Customer goal is to have single zone for corp users no matter from where they are coming wired wireless or through GP.</P><P>&nbsp;</P><P>I fully agree that having a separate zone for gp makes it more granular but that's the customer requirements.</P><P>&nbsp;</P><P>So you mean it is doable to have all in same zone I mean vlan subinterfaces plus loopback/ tunnel interface?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 04 Jan 2021 18:51:06 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377718#M89375 FWPalolearner 2021-01-04T18:51:06Z https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377719#M89376 <P>Hello,</P> <P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;, keep it separate, that way you have more control as to who can do what. I would also keep the wired and wireless separate for the same reasons. Try to go with the smallest zero trust you can get away with. This will help prevent wide spread lateral movement and still control who has access to what resources.</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 04 Jan 2021 18:56:44 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377719#M89376 OtakarKlier 2021-01-04T18:56:44Z https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377720#M89377 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>&nbsp;wrote:<BR /> <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;.thanks.</P> <P>&nbsp;</P> <P>Wired and wireless are separate currently because of historical reasons .</P> <P>Customer goal is to have single zone for corp users no matter from where they are coming wired wireless or through GP.</P> <P>&nbsp;</P> <P>I fully agree that having a separate zone for gp makes it more granular but that's the customer requirements.</P> <P>&nbsp;</P> <P>So you mean it is doable to have all in same zone I mean vlan subinterfaces plus loopback/ tunnel interface?</P> <P>&nbsp;</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>Yes, there's not a technical limitation for having all be in the same zone, as long as the interface type match the zone.&nbsp; For instance L3 zone, but L2 Interface type.&nbsp; (I'm fairly certain they need to match.&nbsp; I know you can't have a vwire interface in a L3 zone.)</P> Mon, 04 Jan 2021 18:59:14 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377720#M89377 Brandon_Wertz 2021-01-04T18:59:14Z https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377833#M89404 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>You're doing to exact opposite of what anyone would recommend you do from a security aspect, but since you're saying customer and not internal to your org the only thing you can do is advise the customer that it's not the best idea and explain the reasons why.</P> <P>The only technical reason that this wouldn't be doable is if you have to mix interface types as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;mentioned. You can't have a zone contain mis-matched interface types. Short of that, there's not a technical reason you can't toss all of your interfaces into the same zone.</P> <P>&nbsp;</P> <P>The one thing that I would recommend if you do this, is that you make sure intrazone-default or any other intrazone rule you may have created is setup to log properly. Without overriding that setting, the firewall won't be logging much which could become a massive issue if you ever get called about the customer being breached.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 04 Jan 2021 23:56:58 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-for-vpn/m-p/377833#M89404 BPry 2021-01-04T23:56:58Z