10-02-2018 05:37 AM
Is it possible or practical to block traffic between two server in the same firewall zone by designating the source IP from the server you want to block access to the server to the destination server indicated by IP
10-02-2018 06:21 AM
If the traffic is passingg through the firewall while staying in the same zone, you could create an intrazone policy to block the traffic. Are the servers on different subnets and in the same zone?
10-02-2018 06:29 AM
Different subnet same zones, that is why I thought I could name the source IP range that I didn't not want to have access to the specific IP's of the server I don't want them to have access to or from
10-02-2018 07:48 AM
As long as the traffic between these hosts passes through the firewall, then you should be able to create an intrazone rule to deny whatever you need.
10-03-2018 09:00 AM - edited 10-03-2018 09:17 AM
How do you have to configure an intrazone rule?
10-03-2018 09:43 AM
Hello,
It would look something like this:
(source zone) (source IP) (destination zone) (destination IP)
This way since they are different subnets and have to use the PAN as a gateway, you can create secutiy policies to distinguish traffic. I do this due to the amount of zones a PAN can have. This way I create one zone and subnet it out and use source and destination subnets.
Hope that makes sense.
10-03-2018 09:58 AM
Yes that makes sense I thought I did that but I can still ping the server that I am trying to block access too
10-03-2018 10:21 AM
When you create the policy, make sure the type is 'intrazone'. Once you select the source zone, the destination zone selection is disabled.
10-03-2018 10:59 AM
Where do you choose intrazone?
10-03-2018 11:09 AM - edited 10-03-2018 11:55 AM
@rmfalconer @OtakarKlier @reaper
Do you have to be very specific? like
source - server 1 10.10.10.10
Source zone - myhouse
destination - server 2 10.10.189.16
destination zone - myhouse
And have you used this on your firewall? Also I if I read this correctly that if I have the rule type set to universal,which I do, it should cover both interzone and intrazone
10-03-2018 01:33 PM
It's essentially built out exactly the same as you would a normal security policy, the 'to' and 'from' are just going to be exactly the same.
You can leave the rule type as universal or set it to intrazone, both would function the same.
10-03-2018 01:36 PM
From what read I was under the same impression. i guess i could move my server to another security zone but thats not assurrance either without making sure of how everything is routed and aggregated etc
10-04-2018 09:00 AM
Hello @jdprovine,
As for the IP's, no they do not have to be specific if you dont want then to be. I have a zone called DMZ, then I carve out subnets out of it. Since I have a DENY ALL rule before the built in allow intra zone traffic, it will automatically be blocked and then I can chose what is allowed to talk to what. So instead of using specific IP's you can use Subnets.
source zone = DMZ
source IP = 192.168.55.0/29
destination zone = DMZ
destination IP = 192.168.55.96/29
Hope that makes sense.
10-08-2018 04:43 AM
Just checking.... But the server Default gateways are the firewall not something else?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
