I took over a Palo Alto Firewall and I noticed that there is a intrazone allow rule at the end for every single internal zone.
So source zone: internal zone xy
source address: any
destination zone: internal zone xy
dest address: any
these intrazone allow rules are placed before the intrazone default deny rule.
What do I need these intrazone allow rules for?
this may be legacy or possibly for logging reasons, or maybe a few zones are excempt from the intrazone policies ?
the default setting for the implied intrazonme policy at the endis to allow, so if yours is a deny, the previous admin changed that
The intrazone policy is used for any 'zoneX to zoneX' traffic, this could be traffic bouncing off an interface (lan1 to lan2 with a router in between) or ping/mgmt connections to the interface, proxyDNS connections, or multiple interfaces sharing a zone
you can also combine all the zones in one intrazone policy as the 'type' of intrazone will prevent bleeding
check out this blurb: What’s this security policy ‘type’ thing anyway?
I've seen other admins do this for logging purposes instead of modifying the default rules to log; talking to them some found this easier and others didn't know that you could modify the default rules at all. Maybe your old admin had them for the same reason?
So this really depends on the network and how it's actually setup. If the firewall sees the traffic, then you can interact with it exactly the same as you would a normal security policy.
Keep in mind however that if these aggregate on something such as a core/aggregation switch, you may not actually see the traffic pass on the firewall.
Well I did a ping and a trace route to the server on the same security zone but different subnets and the trace route showed one hop and it was to the server I don't want it to get to and the ping also reached it. When I look in the traffic logs I don't see any traffic going across the firewall. I think some thing are aggregated and from what I read the type of rule we are using is a universal rule so that should cover all types of rules including interzone and intrazone so changing it to intrazone would make no difference. Anyway you can block traffic that the PA does not see
I'd first verify that you are logging the intrazone-default policy, as by default these aren't set to log anything. However if you aren't seeing the traffic you would have to block this at the switch level, as that's where the traffic would be processing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!