Looking for some rule guidance

Reply
L1 Bithead

Looking for some rule guidance

Hello all,

 

I'm trying to get some access restricted to a few subnets that fall into our /16 range that we currently have in our Palo. The way it would look is we would have 2 subnets smack in the middle of the /16 that we only want to allow access to a handful of hosts in that subnet, yet block everything else in that range. To explain it clearer, we currently have access from our DC servers to all the subnets contained within a superset of 192.168.0.0/16. That means the DC's can get to all hosts behind this range and do what they need to. It's been determined that a couple of /24's need to have access restricted to them, say the 192.168.2.0/24, and 192.168.100.0/24 range, allowing the DC's to access a few hosts in those ranges excluding the remainder of hosts in 192.168.2.0, and 192.168.100.0. Everything else would remain the same. The way I've figured to do it is to clone the rule and do some subnetting that allows that same access, but carves around the 192.168.2.0, and 192.168.100.0 subnets, except those hosts in those ranges. Would that be how you guys tackle that, or is there a cleaner way to do it that I'm not thinking of? Any guidance is appreciated, thank you!

L7 Applicator

Re: Looking for some rule guidance

@John_Braswell,

Before we start looking at the rule are you even sure it'll work and would actually traverse the firewall. Depending on your larger network configuration this may not function regardless of what security policies you make. 

L1 Bithead

Re: Looking for some rule guidance

Yes, I'm sure it would. The firewall is the gateway for the DC's and they reach out to other subnets, the /16 is subnetted into several dozen networks, all in different security zones and even across different geographical locations. As far as working, it *should*, but I'm not certain it will.

Highlighted
L1 Bithead

Re: Looking for some rule guidance

And the answer was right in my face. The subnets I need to exclude are in the same security zone, so I can make a rule the specifically says talk to these hosts in that zone, then a general rule that calls all of my other zones, without the zone in the previous rule, and that should kill the unwanted access. Sometimes it helps to just talkit out. Thanks everybody!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!