Hi Team, we recently migrated from cisco ASA to Palo Alto 3220, where for one of the policy in cisco ASA has " access-list inside-egress extended permit ip any any", And this access-list is attached to the access-group to the interface "inside". as you can see below.
"access-group inside-egress out interface inside"
as per my understanding from cisco perspective for this access group the traffic which egresses out of the interface named "inside", should evaluate the against the access-list "inside-egress". The following are the access-list related to inside-egress.
access-list inside-egress extended permit icmp host 10.197.37.212 host 10.15.126.119
access-list inside-egress extended permit tcp host 10.16.17.9 host 10.15.4.84 eq 5707 log interval 1
access-list inside-egress extended permit ip any any
When it is converted to Palo Alto, for the " access-list inside-egress extended permit ip any any" tool created a policy stating
Source zone - any, Source subnet- any to destination-subnet- any, destination-zone - "inside" with allow action.
Basically anything from anywhere were allowed to inside zone (which is dangerous wide open policy).
How we can rectify this, need your advise, for the access-group with "out" attached to the interface and having "permit ip any any" accesslist.
First of all, you shouldn't allow anything coming any destination zone with source any. I would recommend you to go through the the networks those need to be allowed and allow required subnets only, that too with specific zones.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!