- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-11-2019 01:19 PM
Let me start by saying that I am not a firewall expert by any means but I think the task I have is simple. I want to block all traffic through a PA-500 except for a single conversation between a dedicated machine on each side of the firewall. Is there an easy way to do this? BTW the IPs are static on both machines.
Thanks
11-11-2019 07:22 PM
It's pretty much the simplest rule you could have. You just need to specify...
If the conversation is only ever started by one machine then
Source Zone,
Source IP,
Dest Zone,
Dest IP,
Service any [ or limit it to what you need],
Action allow,
If either can start the conversation then you just add another rule and reveres all the parameters.
But is the firewall running already? Are both networks connected?
11-11-2019 02:04 PM
This should be pretty straightforward... have you looked at our Tech Docs site? Here is a link to working with Security Policies on version 8.1 of PAN-OS, there are links to other generally available versions, that should be helpful:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-policy.html
Keep in mind that PAN-OS denies be default, so you would need to be specific to the source/destination details.
11-11-2019 07:22 PM
It's pretty much the simplest rule you could have. You just need to specify...
If the conversation is only ever started by one machine then
Source Zone,
Source IP,
Dest Zone,
Dest IP,
Service any [ or limit it to what you need],
Action allow,
If either can start the conversation then you just add another rule and reveres all the parameters.
But is the firewall running already? Are both networks connected?
11-12-2019 04:08 AM
This is not in service yet. I have it on my desk and I will try your suggestions. I guess I really should have asked if the firewall blocks everything by default in its off the shelf configuration but it looks like it does.
Thanks for the help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!