Apply policy security on vlan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Apply policy security on vlan

L2 Linker

Hello

Plz i need ansewr as soon as possible, can i apply the security policy rule on vlans ? for exepmle let vlan 10 connect to facebook, but bloc facebook for vlan20 ??

10 REPLIES 10

L3 Networker

Hi Hamza, 

 

Short answer is yes you can. Does the different vlans have different zones ? 

If they do just apply the src zone as required in your rules. 

If they don't can seperate it using an address object range if the vlans have different subnets. 

ref : 

here's a link of a guy setting up a pa-200, using vlans and rules for the vlan

https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-Up-the-PA-200-for-Home-and-Small...

here's a link for creating address range if no seperate zones for the vlans

https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-addresse...

 

 

cheers 

 

Rob 

Community Team Member

Hi @hamza_ineos,

 

Yes you can. 

Just use different zones per vlan and you can control your policies based on those zones.

The following getting started guides should be very helpful for you :

 

Getting-Started-Layer-2-Interfaces

Getting-Started-Layer-3-Subinterfaces

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

thank you very much brothers

i still have some questions plz, we have 2 scénarios in our deployment:

 

1-creating the vlan in PaloAlto firwall, and then manage it from the firewall.

2-or create the vlans on the cisco switch, in this case can the firwall apply the security rule on the vlans created in cisco switch ? (Important question).

 

witch of the this 2 sénarios is the best practice ?? 

plz if it's possible give me what the advantage/disadvantage of creating vlan on paloalto and not on cisco switch !!

and what the advantage/disadvantage of creating vlan on cisco switch and not on paloalto !!

 

 

Community Team Member

Hi @hamza_ineos,

 

Personally, I don't think it's a matter of which is best practice ... 

Both are valid ways to configure.  You'll just need to decide on a design that best fits your network and configure the firewall/switch accordingly.

 

Cheers !

-Kiwi.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

thnk for you ansewr bro 🙂

Then if i create the vlans on the cisco switch, in this case can the firwall apply the security rule on the vlans created in cisco switch ? 

Community Team Member

Hi @hamza_ineos,

 

Yes, you can use tags and zones for this.

It's explained in the 2nd link I posted earlier : Getting-Started-Layer-3-Subinterfaces

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi

Thank very much for help!

this tutorial is very nice, but i have a question, i see in the toturial that we must give an ip adresse for the vlan(in paloalto), this adresse ip is the same that i gave it to this vlan when i created in cisco switch ?

 

ex: i create a vlan10 on cisco switch with ip adresse: 10.1.1.1/24, then i must create a subinterface in palo alto with the tag 10, and the adresse ip : 10.1.1.1/24 ??

 

thanks a lot 

where are you brother @kiwi , plz i need answer for my previous question

Hi Mate, 

 

someone asked a similiar question below here; [check out the comments at the bottom]

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-Subinterfaces/ta-p/67...

 

generally can always test it one way or the other if not sure. best way to learn aswell. 

 

 

cheers

 

rob 

thank you very much bro 🙂

  • 5412 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!