https://live.paloaltonetworks.com/t5/general-topics/experience-feedback-with-vlan-insertion-design-for-east-west/m-p/438981#M99495 <P>Hello,</P><P>On some devices, I started with something like the following:</P><P>Source Zone: trust, Source User: AD group that has access, Destination, Zone and IP address of scada/device, enable threat prevention and disable url filtering.</P><P>With this I can limit the traffic to those who have access and then watch and see what applications if any are being discovered, then tune from there.</P><P>&nbsp;</P><P>The other thing I have seen is that some PAN models is that the amount of zones is limited. So I created a zone called something like IOT, and then set policies of source and destination IP's/subnets. Since I have a DENY ALL policy as my last rule, the intra zone traffic is blocked.&nbsp;</P><P>&nbsp;</P><P>Hope that helps a bit.</P> Tue, 05 Oct 2021 21:19:10 GMT OtakarKlier 2021-10-05T21:19:10Z https://live.paloaltonetworks.com/t5/general-topics/experience-feedback-with-vlan-insertion-design-for-east-west/m-p/438966#M99494 <P>Experience/feedback with VLAN insertion design for East-West traffic segregation</P><P>&nbsp;</P><P>We are planning to leverage the VLAN insertion design for achieving micro segmentation in out OT network.&nbsp;</P><P>&nbsp;</P><P>just thought of checking within the Live community team for any feedback, caveats&nbsp; based on your experience with similar implemetation. Thank you.</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/resources/whitepapers/applying-vlan-insertion-in-ics-scada" target="_blank" rel="noopener">https://www.paloaltonetworks.com/resources/whitepapers/applying-vlan-insertion-in-ics-scada</A>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PratheeshP_0-1633468112522.jpeg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/36841iAE3C3AAFBD797AFB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PratheeshP_0-1633468112522.jpeg" alt="PratheeshP_0-1633468112522.jpeg" /></span></P><P>&nbsp;</P> Tue, 05 Oct 2021 21:08:45 GMT https://live.paloaltonetworks.com/t5/general-topics/experience-feedback-with-vlan-insertion-design-for-east-west/m-p/438966#M99494 PratheeshP 2021-10-05T21:08:45Z https://live.paloaltonetworks.com/t5/general-topics/experience-feedback-with-vlan-insertion-design-for-east-west/m-p/438981#M99495 <P>Hello,</P><P>On some devices, I started with something like the following:</P><P>Source Zone: trust, Source User: AD group that has access, Destination, Zone and IP address of scada/device, enable threat prevention and disable url filtering.</P><P>With this I can limit the traffic to those who have access and then watch and see what applications if any are being discovered, then tune from there.</P><P>&nbsp;</P><P>The other thing I have seen is that some PAN models is that the amount of zones is limited. So I created a zone called something like IOT, and then set policies of source and destination IP's/subnets. Since I have a DENY ALL policy as my last rule, the intra zone traffic is blocked.&nbsp;</P><P>&nbsp;</P><P>Hope that helps a bit.</P> Tue, 05 Oct 2021 21:19:10 GMT https://live.paloaltonetworks.com/t5/general-topics/experience-feedback-with-vlan-insertion-design-for-east-west/m-p/438981#M99495 OtakarKlier 2021-10-05T21:19:10Z https://live.paloaltonetworks.com/t5/general-topics/experience-feedback-with-vlan-insertion-design-for-east-west/m-p/439015#M99501 <P>thank you for your reply. I agree with your comment on the Zone dependency per FW hardware.</P><P>Based on your experience, any comment on the below items:</P><UL><LI>What will be the SVI for VLAN for Layer 3 communication to outside segments?<UL><LI>I am planning to configure all my OT systems in the current segment to a dedicated VLAN per connected port, trunked to FW (VLAN insertion). Not sure how the SVI Gateway (Layer 3) will be required on the FW?</LI></UL></LI><LI>How broadcast and multi-cast will be handled?</LI></UL> Wed, 06 Oct 2021 00:29:19 GMT https://live.paloaltonetworks.com/t5/general-topics/experience-feedback-with-vlan-insertion-design-for-east-west/m-p/439015#M99501 PratheeshP 2021-10-06T00:29:19Z