topic Re: Block and Allow internet access for VLAN in switches sitting behind PA FW in General Topics

Block and Allow internet access for VLAN in switches sitting behind PA FW

isentric89 — Mon, 27 Sep 2021 06:37:29 GMT

Hi Support,

We have configured additional VLAN in our cisco core switches sitting behind PA FW.

I want to allow and block internet in certain VLAN, eg VLAN7 to allow and VLAN70 in the switches to block internet access.

Any procedures and where to check for this kind setup of situation in PA?

Thanks all !!

Re: Block and Allow internet access for VLAN in switches sitting behind PA FW

PavelK — Mon, 27 Sep 2021 08:09:12 GMT

Thank you for posting the question @isentric89

Probably the easiest way is to configure a new security policy and use as Source Address the subnet configured for Vlan 70 and application: "web-browsing" with the action: Deny, then place this rule on the top to make sure it will be hit first. If your default policy is to allow internet traffic, then you do not need to take any further action to explicitly allow internet for Vlan 7. If your default policy is to block everything, then do it over way around. Configure a new security policy and use as Source Address the subnet configured for Vlan 7 and application: "web-browsing" with the action: Allow.

You can confirm the desired outcome of the configuration from Traffic log.

Kind Regards

Pavel

Re: Block and Allow internet access for VLAN in switches sitting behind PA FW

isentric89 — Tue, 28 Sep 2021 22:57:18 GMT

Hi Pavel,

Thanks for the suggestion !! Appreciated it

Re: Block and Allow internet access for VLAN in switches sitting behind PA FW

PavelK — Tue, 28 Sep 2021 23:17:43 GMT

Thank you for reply @isentric89 If you get stuck with anything else do not hesitate to ask.