Best way to block private ip's but make exception for 1 network.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best way to block private ip's but make exception for 1 network.

L1 Bithead

I just upgraded from 4.0.7 to 4.1.6. Since this upgrade our monitoring server in the LAN 10.x.x.x/24 can not browse to our web servers in the DMZ 192.168.X.X/24. It shows up as, action  blocked-url, with Category of private-ip-addresses. I have private-ip-addresses blocked in the URL filtering but I have a custom URL category defined that allows access to 192.168.x.x/24.   This worked before the upgrade. I can put the url in the allowed list and it works but I would like to find a way to allow access to the entire 192.168.x.x/24 network.

Any suggestions on the best way to do this?

Thanks,

Michael

5 REPLIES 5

L6 Presenter

Since PA uses (the common) top-down first-match you could set it up like:

1)

srcip: 10.x.x.x/24

dstip: 192.168.X.X/24

appid: web-browsing (or whatever is being used)

action allow

2)

srcip: 10.x.x.x/24

dstip: any

appid: web-browsing, ssl (and so on)

url-category: blocked_categories + manual blacklist

action deny

3)

srcip: 10.x.x.x/24

dstip: any

appid: web-browsing, ssl (and so on)

url-category: allowed_categories

action allow

mikand,

Thanks. That looks good. I have a couple questions?

Wouldn't I want to make the dstip: in #2) 192.168.0.0/16 so it would only block private ips? Or am I reading this wrong?

Also, I mostly use the GUI for configuration. Where would I put this in?

Michael

Michael, you are correct.  You will want to specify 192.168.0.0/16 per RFC 1918 spec.

The above configuration examples should be configured in your security policy rules under Policies > Security.

1) We allow the traffic from client network to this DMZ no matter what the category is (you could of course put a limit on which categories should be allowed if you wish).

2) We deny globally client network from reaching banned categories (or for that matter a manual blacklist).

3) We allow globally client network to reach allowed categories.

4) Default deny + log (I didnt write this since it should be in all firewalls already Smiley Happy )

The point here is that because PA is top-down first-match http/https-traffic client -> DMZ will hit first rule and since that action is allow the traffic will be allowed through.

Rule 2 above is like the "default" for the client network, we dont want them to visit for example malware sites or ad-sites.

The third rule is more of a safety guard. The allowed categories should be the reverse of the banned categories. However you can face situations (specially if you have more than these 3 rules) that a later rule would "override" what you thought you did earlier on in the rule chain.

The banned categories (rule2) could also be just a manual blacklist while rule3 will be "default" regarding which categories are allowed to visit (so if the client tries to reach an uncategorized site it will be blocked if its not in the url-db or if you enable dynamic urls not available in the "cloud" regarding which category the url belongs to).

Thanks both of you for the information and ideas. I'm going to put this in tonight.

  • 4890 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!