topic Zone for vpn? in General Topics

Zone for vpn?

AubreyCooper — Fri, 08 Jan 2021 12:54:12 GMT

Hello ,

We have currently three diffent zones defined .

Zone A vlan 100. For wired users

Zone B vlan 200 for wireless users

Zone V tunnel/ loopback interface for Global protect users.

All the above users mentioned are corp users.

Now customer wants to create. single zone called "All users" and want to put vlan 100 200 and loopback/ tunnel into it.

Is it wise to use same zone for GP users ?

Is it doable ? What are the challenges of we have a single common zone for user traffic ( wired+wireless+gp users )

Re: Zone for vpn?

MP18 — Sat, 09 Jan 2021 21:18:21 GMT

@AubreyCooper

You can assign same Interface to Multiple zones.

But Interface can be assigned to Single Zone only at one time.

You can assign same all 3 Interface to new zones.

I never done this but it is doable.

Also it is not recommended best practice as now if you want to segment the traffic between 3 different zones then you can not do that now.

Only thing if you have to worry about is VR if all 3 Interface are in same VR then you are good if they are in different VR then you need to modify the static routing in 3 VR's.

Regards

Re: Zone for vpn?

BPry — Sun, 10 Jan 2021 05:11:48 GMT

@AubreyCooper,

Did you ask this question last week in the GlobalProtect forum? If not, you can find the same discussion there within the past week.

In short, the only thing that would technically prevent you from doing this is if you have mixed interface types. You can't have an L3 zone with L2 interfaces or an L2 zone with L3 interfaces for example. As long as that isn't an issue in your environment, there's nothing preventing you from including all three of your interfaces in the same zone.

Now for whether or not it is a good idea or not, most people would say no. General consensus would be that you have your VPN traffic terminate on its own zone so that you have full control and visibility into what is access by users. In general from a security aspect, the more segmented you make your zones the more control you have over what goes where and you can make finer access controls.

Now to be perfectly clear, it isn't that you can't include all three interfaces in the same zone and still have a secure network. You can still override your intrazone-default policy to deny and manually build out intrazone security rulebase entries to control traffic. That generally isn't advisable because it's easier to accidently over-provision access or have traffic not getting logged when crossing the firewall. By default, PAN firewalls don't track intrazone traffic, it doesn't get logged at all, and it automatically allows the traffic. If you design things carefully you can have this be just as secure as using multiple different zones, it just generally takes more effort to do so.