The dreaded any

Reply
L4 Transporter

The dreaded any

I got a health check report and according to it I have a least one any in every single rule I have on my firewall. I was just curious if anyone  has been able to have at least one or more rules with no any's at all. 

Highlighted
L2 Linker

Re: The dreaded any

Yup, I have a few (excluding HIP profile) you just specify your zone, and source address, or source networks, Destination zone and networks, you can select multiple of any of these. Specify users (I do groups in AD)Then specify the applications or application filters, and there you go, a rule with no "ANYs". 

 

 

Tags (1)
L7 Applicator

Re: The dreaded any

Hmmmm... interesting question and even more interesting first response, not sure why you would specify a source ip address and a source zone, or a destination ip and destination zone, unless i am missing something obvious, but of course if you can then why not?

 

on call at the mo and a bit bored so let me offer a curve ball, does anybody have a rule that consists of all “Any”. I must admit that i do. 

 

L4 Transporter

Re: The dreaded any

@MickBall

Its a tough one and I  begin to wonder what your rule number would have to be to eliminate all your any's. I was just surprised that we didn't even have one rule without any's

L2 Linker

Re: The dreaded any

The reason to do both Zone and IP, is firewall with many zones, and possibly multiple virtual routers!

 

I personally dont have a problem with an ANY in the right spot, some times you really dont need to be that specific. some rules, you need to get VERY specific!

L4 Transporter

Re: The dreaded any

I believe that best practices indicate having as specific a rule as possible for higher security, but obviously that isn't always possible 

L7 Applicator

Re: The dreaded any

@Kaje.. noted, and of course you are correct...  my fault for assuming all networks were like ours.. private, external and dmz. With one vrouter.

 

i agree with using “any” where possible as always assumed that any implies “do nothing” thus less load on processing and easier diagnostics.

 

shame you are not using HIP, you could have hit the jackpot...

L7 Applicator

Re: The dreaded any

@jdprovine... strange you should say that.... we also have policies tied down to AD users and groups that can only traverse via the trusted interface, purely because of our setup, so... its wierd that we still add the trusted zone (but not ip subnets) to our policies, whereas we could just rely on AD. Must be a habit/confidence thing...

L7 Applicator

Re: The dreaded any

and yes our ANY ANY ANY ANY ANY ANY ANY rule is the last. it's set to deny for diagnostics. I find this quite helpful as our other policies are logging session end only.

 

we do not log the above rule to paranormal for obvious reasons...

L4 Transporter

Re: The dreaded any

@MickBall you can override the default inter-zone deny rule (panos 6.1 and above) and set the log action to get the information from a 'deny all' rule. Currently your rule would deny intra-zone traffic as well.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!