10-19-2015 12:08 PM
Hello,
I need to restrict the access to a critical server in our company i the LAN zone . I add a security rule that restrict for exemple the address 192.18.1.25 to access to database server tht has the address 192.168.1.20 . I add a security rule from LAN to LAN with this address but the rstrection do't work!
How can i do this restriction ?
I will be appreciated for all helps 🙂
10-19-2015 12:12 PM - edited 10-19-2015 12:14 PM
Are those servers directly connected to Palo Alto firewall ports or there is switch between those servers and Palo?
If there is cable from Palo to switch and then cables from switch to both servers then servers talk directly through switch.
If those servers connect to diferent firewall ports then it is possible to get this setup working.
10-19-2015 12:13 PM
Did you mean that your client is 192.168.1.25? If so, then the client wouldn't even be passing through the firewall most likely. If your client and server are in the same subnet, such as 192.168.1.0/24, the client will ARP directly for the server. If both the server and the client are connected to the same switch (or can access each other via L2 only), there will be no routing.
Generally you would set up your clients and servers in different zones and on different subnets, so that you can control the traffic as it routes through the firewall.
10-19-2015 12:24 PM
The eth 1/2 of PAN is configuredwith LAN zone and this interface is connected to the switch . Yes the servers and the clients PC are connected to the same swith . I need torestrict the access to of the uses to a servers that's located in the same subnet 192.168.1.0/24.
It's posibleto do this?
10-19-2015 12:30 PM
It is possible but as mentioned before - in your case devices talk directly through the switch.
You have to configure it so that traffic passes firewall.
Either with diferent vlans (does your switch support them?) or with connecting diferent devices to diferent fw ports.
10-19-2015 12:45 PM
So this case is only possible with te configuration of VLANS in PAN or in the switch ?
I found this article talk about the configuration of VLANs interfce in PAN : https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-Up-the-PA-200-for-Home-and-Small...
So if I like to confgure a VLANs in PAN ,I should do as mentioned n the article : config from L3 to L2
interface 1/1: WAN : L3
interface 1/2: LAN (interface VLAN 192 with address 192.168.1.0/24)
interface 1/3: Server zone with address (interfac VLAN 10 : 10.200.1.0/24)
Then I will relate the inter1/2 and iner1/3 to a separate switch . I will add then a access and Vroute in PAN that's te solution??
10-19-2015 02:06 PM
Usually it is done like this:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Securing-Inter-VLAN-Traffic/ta-p/54749
But if you can't change IP's then do it with Layer 2 setup:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Layer-2-Networking/ta-p/57040
Screenshots are taken from older version but you should get the point.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
