02-06-2012 08:31 AM
Hello,
This question might sound very stupid, but never mind:
I have a PA-500 configured which does a specific job which does layer 3 and that requires creating a lot of zones in-order to differentiate the traffic ( as per my understanding, zones are defined for differentiating between traffic. If my thinking is wrong, please correct me).
Since the PA-500 can only have 20 zones and I already have 18 zones configured ( i would need more than this over the year), I was just wondering if there was any way in increasing this number by creating sub-zones (like creating sub-interfaces).
Or any sorts of work around....
Thanks...
02-06-2012 09:14 AM
Hi...Zones are used to define your network boundary and not necessary to differentiate traffic. For example, separating users from server farm, inside vs outside vs dmz. For multiple vlans where each vlan is an IP subnet for users, you can put all vlans on the same zone because they all are users. Same goes for servers. You may have some smtp servers, dns servers, & file servers and you can group them together under 1 zone. Then you define security policies to control traffic between your users and your servers.
02-07-2012 08:04 AM
Thanks for the reply. It was useful, but the only problem I would face is, the zones for me define a customer's boundary or network. It does not necessarily mean different VLANs for me as they are completely different networks and are external. It looks like:
Client -> A
Interface -> ethernet 1/6.1001
Source Zone -> Internal
Destination Zone -> A zone
IP Address -> 2.0.0.1/27
Client -> B
Interface -> ethernet 1/6.1002
Source zone -> Internal
Destination Zone -> B Zone
IP Address -> 128.x.x.x/24
Based on this, I will be creating zones for all the clients I register which would run in quite a few numbers. I can only see replacing the PA with a router or a layer 3 switch do pass the traffic onto their networks.
Any Thoughts..??
Thanks..
Regards,
02-07-2012 03:33 PM
Why not create zone for 'clients', or more broadly lump them into 'untrust' depending on which network interface the clients are behind. If the clients are all external off the internet then go with 'untrust'.
Then create address book definitions per client in the appropriate zone (ex. 'clients' or 'untrust'):
client-a-net = 2.0.0.0/27
client-b-net = 128.x.x.x/24
Then in your security policy permit the desired traffic to the zone and destination as appropriate.
Seems like it would work.
02-07-2012 03:55 PM
I think thats the more common way of using zones.
The zone is just the description of the "interface" (no matter if the interface is physical such as EthernetX/Y or logical such as VLAN123). So instead of using "ethernet1.6/200" or "vlan123" you bring this interface a useful name such as "Internet".
Which gives that your security rules looks like
src zone: Internet
dst zone: DMZ-DNS
instead of
src interface: Ethernet1.6/200
dst interface: Ethernet1.3/104
And then use address objects and address groups to further make your security rules easier to interpret when you are staring at them.
Like (already mentioned):
client-a-net = 2.0.0.0/27
client-b-net = 128.x.x.x/24
with group:
client-internet = client-a-net, client-b-net
And your security rule becomes:
srczone: Internet
src ip: client-internet
src port: >1023
dstzone: DMZ-DNS
dst ip: dns-servers
dst port: specific (TCP53, UDP53)
appid: dns
profile: PROFILEGROUP_BLOCK
action: allow
02-08-2012 02:13 AM
Many thanks for your thoughts Guys. I will trying doing this in a couple of days time to add in a new customer. Will get back to you guys on this..
So, this is how I would go around configuring it (EXAMPLE):
1. Source Zone: Internal
2. Destination Zone: External
3. Create Layer 3 Sub-Interface: ethernet 1/6.1010 with an ip address 1.1.1.1
4. Add an Address object: 1.1.1.1 -> Client A
5. Create a Security rule: From Internal zone (Any source address) -> to External Zone with Destination Address of Client A (pulled from address object) -> any application, any service, no profiles ( as it is basically allowing routing traffic from our Wireless Controller)
Cheers...
02-09-2012 12:29 AM
You will need a 2.5: Connect zone to (physical or logical) interface.
And personally I would apply a protection profile even for the wireless users 🙂
02-09-2012 01:26 AM
Oh yes, connecting the zone to physical or logical interface. With respect to security profiles, we have another firewall doing filtering as this Palo Alto in question is doing content filtering on virtual wire mode for internal users and L3 routing. 
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
