Is Zone Protection on Shared Gateways Supported

Reply
L2 Linker

Is Zone Protection on Shared Gateways Supported

I have a question regarding Zone Protection on Zones in a shared gateway.  Is it supported.  When I try and configure it it seems to be valid configuration.  However as a shared gateway does not generate logs where do the the ZP logs go?  Also when I run the command "show zone-protection zone ?" the SG zones do no show in the list so I can't collect stats for the zone protection.

 

I did try applying zone protection to the external zone which connects to the SG but this gave a commit warning saying something about syn-cookie not supported.  Also in my mind this would apply zone protection too late for it to be affective.

L7 Applicator

Re: Is Zone Protection on Shared Gateways Supported

Hi @CHammock

 

It is supported ... with some limitations (as you already saw in the commit warning)

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-network-...

L2 Linker

Re: Is Zone Protection on Shared Gateways Supported

Thanks for the response.  The link at least clears up the question of External Zone Support in VSYS, however are you able to confirm the qestion of if Zone protection profiles are supported on Layer3 Zones assigned to Shared Gateways?  If so where would you find the logs?

L7 Applicator

Re: Is Zone Protection on Shared Gateways Supported

I haven't any shared gateway configured on our firewalls. But the logs should be in the thread log if you have assigned a Log forwarding profile to the zone.

And in the Monitor tab you probably have to select all virtual systems to view these logs, as they are not assigned to specific vsys

L2 Linker

Re: Is Zone Protection on Shared Gateways Supported

Just to clarify my questions were based on a design I am putting forward but in the end I decide to lab the functionality to be sure.

 

I have just tested this in the lab and have found the below

 

1.  As vsys_remo suggested when you assign a zone protection profile to a zone in an SG it will log to the threat log if you change the Virtual System drop down to all.  I have to say I didn't expect this but it is a pleasent suprise.  Obviously a Log Forwarding profile is only needed if you wish to forward those logs to an external log device like syslog.

 

2.  The other thing I discovered regarding my point of the "show zone-protection" command.  If you use "show zone-protection zone {zonename}" you will only be able to filter based on zones which belong to a VSYS not an SG, however if you just run the command "show zone-protection" it will list all the zone-protection states including those from the SG zones.

 

Many Thanks to vsys_remo for the guidance.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!