Allowing any traffic that comes from a specific palo alto device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allowing any traffic that comes from a specific palo alto device

L0 Member

Hello

 

Assume 2 local firewalls in a set of firewalls, all managed by same Panorama. One is protecting ATM firewall and the other is DC Server firewall.

ATM 's get their IP 's from branches so they are very random, and routing is basically like 10.0.0.0/8 ge 27 le 30 and 10.0.0.0/8 ge 29 le 30. So we dont know IP, Range, subnet for a firewall rule, they are very random. If we try to make a list it would not be maintainable.

We accept the risk while writing a firewall policy on atm firewall, where as we define source or destination "any" for specific addresses / ports.

The problem occurs when we need to give access from DC firewall. Because we cant write destination of ATM 's, we have to write a rule which basically is like from:serverip to:any port:x, which applies to "all" traffic going outside of DC server firewall from this ip, regardless of being sent to atm firewall.

I am looking for a way to manage this, like allow traffic from server ip to any destination, only if the destination is on atm firewall. Can we manage this via zones / tags or else. Firewalls are vwire.

 

Thanks in advance

Regards

 

 

3 REPLIES 3

L6 Presenter

@orkun.yalcin  How your DC firewall is connected to ATM firewall ? If it is over dedicated interface then you can have dedicated zone on the interface and write zone based policy with any destination addresses to allow ATM destinations.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Nope unfortunately there is no dedicated interface for this.

@orkun.yalcin,

Then how are they connected?

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
  • 3203 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!