block IP's in same zone

Showing results for 
Show  only  | Search instead for 
Did you mean: 

block IP's in same zone

L4 Transporter

Is it possible or practical to block traffic between two server in the same firewall zone by designating the source IP from the server you want to block access to the server to the destination server indicated by IP


No the servers would have gateways associated with the vlan that they reside in

So the gateway for each vlan is not the firewall.


What is the gateway device

No why would that gateway be on the firewall? The gateway would be a router

So does the router know about both vlans? and do the routing for both vlans?



Yes the routing it set up for the vlan I am talking about.  So what does this have to do with blocking the IP's  on the firewall?

So server "A" "" sends packet to serve "B" ""


Router gets packet, forwards to server "B"


How does the firewall ever see the traffic?



That brings us back to my original question can you block traffic between two servers in the same security zone using a plao alot firewall rule and I believe the conclusion is that you can't because it isn't being passed or seen on the firewall

Hello @jdprovine,

By making the firewall the gateway address you can better acheive the zero trust modle where any traffic going into/outof that vlan can be inspected for threats.


Also depending on the vlan/subnet architecture, you can acheive your original question.


Hope that helps.

Your traffic never goes to the firewall, it has no knowledge of it.


For intrazone blocking to work the firewall must be used as the gateway for the subnet.


This is not a problem with the Palo it's the same for any vendor.


So are you suggesting using the PA as the router for all our network traffic?

yes for any subnets you want to segregate.




In a perfect world I would say yes. However this has a lot of dependancies and takes a lot of planning. In the past the routers/switches were the core of the network. The zero trust method makes the PAN the cetner of hte network. Its a bigger conversation you need to have with all the teams in the Infrastrucutre dept, i.e. servers, networking, security, etc.


The biggest probelm with this model is layer 2, hence my recomendation of one zone subnetted out to like a /29 and only 1 server/node per subnet. This can be acheived many ways, but what i suggested is the easiest if you dont have a SDN solution.






Very interesting I will look over the articles you sent me, but would this allow me to block traffic between two servers in the same security zone?


You can's block servers on the same subnet.

But if the zone has multiple subnets then yes if they are routed by the firewall.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!