08-20-2020 01:16 PM
Hello
Assume 2 local firewalls in a set of firewalls, all managed by same Panorama. One is protecting ATM firewall and the other is DC Server firewall.
ATM 's get their IP 's from branches so they are very random, and routing is basically like 10.0.0.0/8 ge 27 le 30 and 10.0.0.0/8 ge 29 le 30. So we dont know IP, Range, subnet for a firewall rule, they are very random. If we try to make a list it would not be maintainable.
We accept the risk while writing a firewall policy on atm firewall, where as we define source or destination "any" for specific addresses / ports.
The problem occurs when we need to give access from DC firewall. Because we cant write destination of ATM 's, we have to write a rule which basically is like from:serverip to:any port:x, which applies to "all" traffic going outside of DC server firewall from this ip, regardless of being sent to atm firewall.
I am looking for a way to manage this, like allow traffic from server ip to any destination, only if the destination is on atm firewall. Can we manage this via zones / tags or else. Firewalls are vwire.
Thanks in advance
Regards
08-21-2020 03:30 AM
@orkun.yalcin How your DC firewall is connected to ATM firewall ? If it is over dedicated interface then you can have dedicated zone on the interface and write zone based policy with any destination addresses to allow ATM destinations.
08-28-2020 01:58 AM
Nope unfortunately there is no dedicated interface for this.
08-28-2020 06:59 AM
Then how are they connected?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
