Best way to block private ip's but make exception for 1 network.

Reply
L1 Bithead

Best way to block private ip's but make exception for 1 network.

I just upgraded from 4.0.7 to 4.1.6. Since this upgrade our monitoring server in the LAN 10.x.x.x/24 can not browse to our web servers in the DMZ 192.168.X.X/24. It shows up as, action  blocked-url, with Category of private-ip-addresses. I have private-ip-addresses blocked in the URL filtering but I have a custom URL category defined that allows access to 192.168.x.x/24.   This worked before the upgrade. I can put the url in the allowed list and it works but I would like to find a way to allow access to the entire 192.168.x.x/24 network.

Any suggestions on the best way to do this?

Thanks,

Michael

Highlighted
L6 Presenter

Re: Best way to block private ip's but make exception for 1 network.

Since PA uses (the common) top-down first-match you could set it up like:

1)

srcip: 10.x.x.x/24

dstip: 192.168.X.X/24

appid: web-browsing (or whatever is being used)

action allow

2)

srcip: 10.x.x.x/24

dstip: any

appid: web-browsing, ssl (and so on)

url-category: blocked_categories + manual blacklist

action deny

3)

srcip: 10.x.x.x/24

dstip: any

appid: web-browsing, ssl (and so on)

url-category: allowed_categories

action allow

Highlighted
L1 Bithead

Re: Best way to block private ip's but make exception for 1 network.

mikand,

Thanks. That looks good. I have a couple questions?

Wouldn't I want to make the dstip: in #2) 192.168.0.0/16 so it would only block private ips? Or am I reading this wrong?

Also, I mostly use the GUI for configuration. Where would I put this in?

Michael

Highlighted
L5 Sessionator

Re: Best way to block private ip's but make exception for 1 network.

Michael, you are correct.  You will want to specify 192.168.0.0/16 per RFC 1918 spec.

The above configuration examples should be configured in your security policy rules under Policies > Security.

Highlighted
L6 Presenter

Re: Best way to block private ip's but make exception for 1 network.

1) We allow the traffic from client network to this DMZ no matter what the category is (you could of course put a limit on which categories should be allowed if you wish).

2) We deny globally client network from reaching banned categories (or for that matter a manual blacklist).

3) We allow globally client network to reach allowed categories.

4) Default deny + log (I didnt write this since it should be in all firewalls already :smileyhappy: )

The point here is that because PA is top-down first-match http/https-traffic client -> DMZ will hit first rule and since that action is allow the traffic will be allowed through.

Rule 2 above is like the "default" for the client network, we dont want them to visit for example malware sites or ad-sites.

The third rule is more of a safety guard. The allowed categories should be the reverse of the banned categories. However you can face situations (specially if you have more than these 3 rules) that a later rule would "override" what you thought you did earlier on in the rule chain.

The banned categories (rule2) could also be just a manual blacklist while rule3 will be "default" regarding which categories are allowed to visit (so if the client tries to reach an uncategorized site it will be blocked if its not in the url-db or if you enable dynamic urls not available in the "cloud" regarding which category the url belongs to).

Highlighted
L1 Bithead

Re: Best way to block private ip's but make exception for 1 network.

Thanks both of you for the information and ideas. I'm going to put this in tonight.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!