03-22-2012 02:42 PM
Typically, are these applied on the inbound direction or outbound direction of an interface?
And if you wanted to protect an entire zone/interface would you just apply it to any source and any destination?
For example if you wanted to apply Antivirus to a interface dedicated to your Wifi access devices?
Thanks
03-22-2012 03:32 PM
Rules are applied for the direction which the session is expected to start with.
If you have something like:
rule:1
srczone: WIFI
dstzone: INTERNET
srcip: x.x.x.x/24
dstip: any
appid: web-browsing
service: TCP80
action: allow
it means that WIFI-clients will be able to do web-browsing over TCP80 towards Internet (if they (the WIFI-clients) start the session).
However if someone from INTERNET tries to initiate a session towards one of your WIFI-clients it will fail unless you allow that traffic aswell like:
rule:2
srczone: INTERNET
dstzone: WIFI
srcip: any
dstip: x.x.x.x/24
appid: web-browsing
service: TCP80
action: allow
Also note that PAN uses top-down first-match (similar to cisco acl) which means that you cannot "combine" security rules. The first security rule (from above in your rule list) which match the traffic will be used to determine if the flow should be allowed or denied.
For example something like:
rule:1
srczone: any
dstzone: any
srcip: any
dstip: any
appid: any
service: any
security: antivirus
action: allow
rule:2
srczone: WIFI
dstzone: INTERNET
srcip: x.x.x.x/24
dstip: any
appid: web-browsing
service: TCP80
action: allow
just wont work as expected (if you expect the above to do antivirus for ALL traffic and then just allow web-browsing from WIFI to INTERNET) because your WIFI to INTERNET traffic will always match rule1 and rule1 allows any protocol (including unknown) in any direction (mostly a bad idea unless you setup PAN in a new environment and need to learn how the flows goes before you setup default block and only allow whats expected to flow through your PAN).
The correct setup of above would be:
rule:1
srczone: WIFI
dstzone: INTERNET
srcip: x.x.x.x/24
dstip: any
appid: web-browsing
service: TCP80
security: antivirus
action: allow
Also note that if you dont put any last rule there is an "invisible" rule that will drop/deny the traffic.
In order to have such traffic logged you need to manually setup an any/any deny+log rule like:
rule:<lastone>
srczone: any
dstzone: any
srcip: any
dstip: any
appid: any
service: any
action: deny
option: log (on session end)
Log on session end is prefered because PAN will then also know transmitted volume, start/end of session, and something else I always forgets (appid?). During debug log on both session start AND session end could be nice but in a large environment will result in shitloads of logs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
