- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-07-2017 04:13 AM
Hello
Plz i need ansewr as soon as possible, can i apply the security policy rule on vlans ? for exepmle let vlan 10 connect to facebook, but bloc facebook for vlan20 ??
11-07-2017 05:10 AM
Hi Hamza,
Short answer is yes you can. Does the different vlans have different zones ?
If they do just apply the src zone as required in your rules.
If they don't can seperate it using an address object range if the vlans have different subnets.
ref :
here's a link of a guy setting up a pa-200, using vlans and rules for the vlan
here's a link for creating address range if no seperate zones for the vlans
cheers
Rob
11-07-2017 05:11 AM
Hi @hamza_ineos,
Yes you can.
Just use different zones per vlan and you can control your policies based on those zones.
The following getting started guides should be very helpful for you :
Getting-Started-Layer-2-Interfaces
Getting-Started-Layer-3-Subinterfaces
Cheers !
-Kiwi.
11-07-2017 02:11 PM - edited 11-07-2017 02:12 PM
thank you very much brothers
i still have some questions plz, we have 2 scénarios in our deployment:
1-creating the vlan in PaloAlto firwall, and then manage it from the firewall.
2-or create the vlans on the cisco switch, in this case can the firwall apply the security rule on the vlans created in cisco switch ? (Important question).
witch of the this 2 sénarios is the best practice ??
plz if it's possible give me what the advantage/disadvantage of creating vlan on paloalto and not on cisco switch !!
and what the advantage/disadvantage of creating vlan on cisco switch and not on paloalto !!
11-08-2017 12:40 AM
Hi @hamza_ineos,
Personally, I don't think it's a matter of which is best practice ...
Both are valid ways to configure. You'll just need to decide on a design that best fits your network and configure the firewall/switch accordingly.
Cheers !
-Kiwi.
11-08-2017 01:09 AM
thnk for you ansewr bro 🙂
Then if i create the vlans on the cisco switch, in this case can the firwall apply the security rule on the vlans created in cisco switch ?
11-08-2017 01:17 AM
Hi @hamza_ineos,
Yes, you can use tags and zones for this.
It's explained in the 2nd link I posted earlier : Getting-Started-Layer-3-Subinterfaces
Cheers !
-Kiwi.
11-08-2017 02:49 AM
Hi @kiwi
Thank very much for help!
this tutorial is very nice, but i have a question, i see in the toturial that we must give an ip adresse for the vlan(in paloalto), this adresse ip is the same that i gave it to this vlan when i created in cisco switch ?
ex: i create a vlan10 on cisco switch with ip adresse: 10.1.1.1/24, then i must create a subinterface in palo alto with the tag 10, and the adresse ip : 10.1.1.1/24 ??
thanks a lot
11-08-2017 07:17 AM
where are you brother @kiwi , plz i need answer for my previous question
11-08-2017 01:48 PM - edited 11-08-2017 01:48 PM
Hi Mate,
someone asked a similiar question below here; [check out the comments at the bottom]
generally can always test it one way or the other if not sure. best way to learn aswell.
cheers
rob
11-09-2017 02:11 AM
thank you very much bro 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!