10-02-2018 05:37 AM
Is it possible or practical to block traffic between two server in the same firewall zone by designating the source IP from the server you want to block access to the server to the destination server indicated by IP
10-08-2018 05:42 AM
No the servers would have gateways associated with the vlan that they reside in
10-08-2018 06:12 AM
So the gateway for each vlan is not the firewall.
What is the gateway device
10-08-2018 06:19 AM
No why would that gateway be on the firewall? The gateway would be a router
10-08-2018 06:20 AM
So does the router know about both vlans? and do the routing for both vlans?
Rob
10-08-2018 06:25 AM
Yes the routing it set up for the vlan I am talking about. So what does this have to do with blocking the IP's on the firewall?
10-08-2018 06:34 AM
So server "A" "192.168.0.1" sends packet to serve "B" "192.168.1.1"
Router gets packet, forwards to server "B"
How does the firewall ever see the traffic?
Rob
10-08-2018 06:48 AM
That brings us back to my original question can you block traffic between two servers in the same security zone using a plao alot firewall rule and I believe the conclusion is that you can't because it isn't being passed or seen on the firewall
10-08-2018 06:51 AM
Hello @jdprovine,
By making the firewall the gateway address you can better acheive the zero trust modle where any traffic going into/outof that vlan can be inspected for threats.
https://www.paloaltonetworks.com/solutions/initiatives/network-segmentation
https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
Also depending on the vlan/subnet architecture, you can acheive your original question.
Hope that helps.
10-08-2018 06:53 AM
Your traffic never goes to the firewall, it has no knowledge of it.
For intrazone blocking to work the firewall must be used as the gateway for the subnet.
This is not a problem with the Palo it's the same for any vendor.
10-08-2018 06:54 AM
So are you suggesting using the PA as the router for all our network traffic?
10-08-2018 06:56 AM
yes for any subnets you want to segregate.
Rob
10-08-2018 06:59 AM
Hello,
In a perfect world I would say yes. However this has a lot of dependancies and takes a lot of planning. In the past the routers/switches were the core of the network. The zero trust method makes the PAN the cetner of hte network. Its a bigger conversation you need to have with all the teams in the Infrastrucutre dept, i.e. servers, networking, security, etc.
The biggest probelm with this model is layer 2, hence my recomendation of one zone subnetted out to like a /29 and only 1 server/node per subnet. This can be acheived many ways, but what i suggested is the easiest if you dont have a SDN solution.
Regards,
10-08-2018 07:04 AM
Very interesting I will look over the articles you sent me, but would this allow me to block traffic between two servers in the same security zone?
10-08-2018 07:08 AM - edited 10-08-2018 07:08 AM
You can's block servers on the same subnet.
10-08-2018 07:09 AM
But if the zone has multiple subnets then yes if they are routed by the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
