I got a health check report and according to it I have a least one any in every single rule I have on my firewall. I was just curious if anyone has been able to have at least one or more rules with no any's at all.
Yup, I have a few (excluding HIP profile) you just specify your zone, and source address, or source networks, Destination zone and networks, you can select multiple of any of these. Specify users (I do groups in AD)Then specify the applications or application filters, and there you go, a rule with no "ANYs".
Hmmmm... interesting question and even more interesting first response, not sure why you would specify a source ip address and a source zone, or a destination ip and destination zone, unless i am missing something obvious, but of course if you can then why not?
on call at the mo and a bit bored so let me offer a curve ball, does anybody have a rule that consists of all “Any”. I must admit that i do.
Its a tough one and I begin to wonder what your rule number would have to be to eliminate all your any's. I was just surprised that we didn't even have one rule without any's
The reason to do both Zone and IP, is firewall with many zones, and possibly multiple virtual routers!
I personally dont have a problem with an ANY in the right spot, some times you really dont need to be that specific. some rules, you need to get VERY specific!
@Kaje.. noted, and of course you are correct... my fault for assuming all networks were like ours.. private, external and dmz. With one vrouter.
i agree with using “any” where possible as always assumed that any implies “do nothing” thus less load on processing and easier diagnostics.
shame you are not using HIP, you could have hit the jackpot...
@jdprovine... strange you should say that.... we also have policies tied down to AD users and groups that can only traverse via the trusted interface, purely because of our setup, so... its wierd that we still add the trusted zone (but not ip subnets) to our policies, whereas we could just rely on AD. Must be a habit/confidence thing...
and yes our ANY ANY ANY ANY ANY ANY ANY rule is the last. it's set to deny for diagnostics. I find this quite helpful as our other policies are logging session end only.
we do not log the above rule to paranormal for obvious reasons...
@MickBall you can override the default inter-zone deny rule (panos 6.1 and above) and set the log action to get the information from a 'deny all' rule. Currently your rule would deny intra-zone traffic as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!