New PA Purchase - Rules question and any tips?

nathan_gilmore — Mon, 31 Oct 2011 21:29:23 GMT

Recently purchased a PA2020 to replace our Cisco PIX 525. I'm in the process of auditing our cisco config and recreating it in the PA.

I'm looking for suggestions on how to allow applications inside to outside and outside to inside.

I only have two zones setup. inside-trust & outside-untrust

Can I just create one rule to allow skype that lists both zones on either side of the rule?

source

destination

name

zone

address

zone

address

application

rule1

inside-trust

outside-untrust

any

inside-trust

outside-untrust

any

skype

or is it better to have two rules and break it up for inside to outside and outside to inside?

name	zone	address	zone	address	application
		source	destination
rule1	inside-trust	any	outside-untrust	any	skype

name	zone	address	zone	address	application
		source	destination
rule2	outside-untrust	any	inside-trust	any	skype

Either way is fine with me, I'm just looking for best practices or if having both zones listed is a bad idea or even supported. Also if anyone has done this and found if it is a good idea or bad idea? Gaming is another example that relates to this question as I work at a university.

Thanks!

Re: New PA Purchase - Rules question and any tips?

zajilioss — Mon, 31 Oct 2011 22:12:09 GMT

better to have two rules.helps in troubleshooting...

Re: New PA Purchase - Rules question and any tips?

UKRB — Tue, 01 Nov 2011 00:01:40 GMT

I agree - two rules is much easier to troubleshoot. You can also find yourself shadowing rules quite easily if you combine them. The 'Show Unused Rule' feature is handy to use after a few days as you might fiind some rules you thought were required are completely redundant.

topic Re: New PA Purchase - Rules question and any tips? in General Topics

New PA Purchase - Rules question and any tips?

Re: New PA Purchase - Rules question and any tips?

Re: New PA Purchase - Rules question and any tips?