So I have 3 locations (DC), Internet access , Vendor access, environment (Prod, Uat etc) and user and support users and dmz and ...
should each of these be a zone ??? I am thinking not, after have a bit of a play, you can't make dynamic zones from tags.
So I am thinking
zone_internet - where the interface talks to the internet
zone_vendor - where there interface talk to my Vendor network
zone_int - anything inside.
zone - guest - i have a guest wifi network - sort of internet ....
a zone prod - to add extra protection around prod ??? or just use address groups
zone - staff << probably most dangerious group :)
zone - support staff << nearly as dangerious as the above
Keep in mind that if you want a flow move from on zone to another, you need a security rule.
Then more you have zone more you hace security policies and potentially more you have to provide support and more it's difficult to maintain.
If you work in a bank, for sure you need more zone than if you are a small company ...
Then there is no worldwide best best practice ...
Just see a zone as a Trust group .... group in zone computer with same trust level.
you can be pretty flexible with the amount of zones you use as long as you take into account there are 2 default rules at the end of the security policy that allow intrazone and block interzone sessions
so to prevent unchecked cross-talk, you'll want to create your own intrazone policies
Another thing to consider is the limit on the number of zones you PAN can support. To aleviate this and still lock things down, you can use a combination, e.g. a large encompasing zone broken up into subnets. Then you will need policies to allow traffic such as the two prvious posts suggest.
I can see a zone per vlan / network, but thats a lot of zones.
Where can I find the limitation on say a pa-3060 for the number of zones ?
plus question. if I have 5 zones z1 , z2 ... z5 and then are connected in serial one after another
z1 -> z2 -> ... ->z5
if I have a packet that is coming from z5 going to zone 1 and I have a rule that says allow z1 to talk to z5 will the PA allow it through even though the next hop is z2 ?
PA3060 supports 40 zones.
Can you explain a bit your serial zone setup.
You need rule every time traffic moves from one zone to other.
I'm also wondering how you are serializing the zones :)
but the underlying logic is that each time a packet is received, a route lookup determines source and destination zone. the security policy will need to match those zones for it to allow the session to be created and the packets to pass through
if you're doing vsys hopping, you'd need a policy per vsys that accomodates the packet going into and coming out of 'the void' ('external' zone) between the vsys
a security policy is session-state aware, so you only need to create a policy in the direction of the syn, returning ack packets will automatically match the policy
I'm not sure I did a good job of explaining what I meant in my earlier post. You can have multiple subnets within the same zone and have policies defining what traffic can pass.
zone 1 = 10.0.0.1/24
zone 1 = 172.16.0.1/24
zone 1 = 192.168.0.1/24
zone 1 source subnet 10.0.0.1/24 can send smtp to zone 1 172.16.0.1/24 and deny all other traffic. This way the 10.0.0.1/24 zone can send smtp packets to 172.16.0.1/24 but deny packets from 192.168.0.1/24 (if these were the only policies, etc.).
While this is a highly simplified example, remember that each column in the security policies has to match. This way you can split up your zones using subnets so you dont run out :).
We do a lot of what @OtakarKlier outlined. Our security zones are defined by grouping network types. For example:
Each actual network has a subnet and each security zone can consist of one or many networks. Rules that say "Allow traffic from Wifi security zone" would allow traffic from any network inside that zone whereas "Allow traffic from Wifi security zone if it is from subnet 192.168.1.0/24" would allow traffic only from a specific network/range in that zone.
So far it has worked out really well for us although one of my supervisors asked if we could do sub-zones... something like a "Building A" zone that belongs to the Residence Network zone. For them it is mostly about readability in the monitoring logs but I haven't seen a way to do this yet. Instead we just kind of have to know what the subnets for each building are or reference our documentation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!