Let me preface this discussion questionb by acknowleding that I've inherited a PAN configuration that I know has issues.
With that said, I'm noticing that some devices do not get the correct policies applied when others that are in the same groups do.
I'm going to ask a question that may be WAY too generic. If it is, please tell me so and I will get on a support call. I've just had much better response times and better luck with everyone here.
The question is do you guys think the reason some devices get different policies has anything at all to do with the way our network is configured or does this have to be a PAN configuration issue?
I guess I should have used different terminology. I have IP address groups configured for each of my locations that correspond to the IP subnets of each of my buildings.
Some IP addresses (end-user devices) do not get the policies applied that are assigned to their respective IP group on the PAN while others do.
For instance, one IP will get a policy applied that blocks an application while another IP in that same group will "skip" that policy and get the default policy that resides at the very bottom of my policy list.
Does that help?
Personally, I avoid using "IP Groups" if at all possible (they have their place). If you can, utilize the zones themselves instead and if you want to be more granular, start making rules based on user/grp and app-id. I just have a feeling you are trying to use your PA like a traditional port/protocol firewall. Would this be a correct assumption?
Well, not really.
I use appID, but was trying to use IP groups to be sure I was catching all the devices while we work on getting userID identifying users correctly. There are multiple things keeping userID from working correctly. Some of those things are network related. So, I'm only using the IP groups temporarily while we get userID working.
How are your zones configured? Do you have a zone that covers each network segment or something?
I usually break up my network into VRFs based on my zones. This way the Firewall is only used to inspect traffic between VRFs (ie - userVRF & serverVRF). Then I will make some generic zone based rules to catch the bulk of traffic and then get more specific if I need to. I also try to remove my Firewalls from being the gateway on a VLAN so they are fully routed which allows me to be more dynamic and do things like anycast a default route at different locations. Of course with a smaller organization, this kind of thing is overkill. Really depends on your use case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!