DMZ network configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DMZ network configuration

Not applicable

We have installed PAN-2050 in my customer site.

It has been deployed with two L2 interface as vmwire.

And we made one L3 vlan interface for secondary IP.

There are 2 IP subnets. (192.168.10.0/24, 192.168.1.0/24)

One(192.168.10.0/24) is for user.

The other(192.168.1.0/24) is for DMZ server.

Both IP subnet set gateway as PAN L3 vlan interface.

And one VR is in PAN-2050 for its gateway.

User subnet which uses NAT policy can use internet and intranet service as well.

Problem is DMZ server couldn't use their service.

There are no security policy.

Maybe my configuration is wrong.

Please let me know what should I add any other configuration.

1 accepted solution

Accepted Solutions

The issue has been solved with no tcp-reject-non-syn option.

PA looked it as asymetric routing because syn is L3 flow and syn/ack is L2 flow.

View solution in original post

5 REPLIES 5

L6 Presenter

Can the servers reach the users? or is the problem just the servers not getting access to the Internet?

yes, server and users can communicat each other.

Server has a problem to access to internet.

You should check your NAT rule to ensure the DMZ zone/address is included.

Also, you mentioned there is no security policy.  The implicit deny all rule will block all traffic that does not match a security rule.  You should have a security rule to allow traffic from DMZ to Internet.

Thanks.

The issue has been solved with no tcp-reject-non-syn option.

PA looked it as asymetric routing because syn is L3 flow and syn/ack is L2 flow.

glad to hear it.

If this PA device is the only firewall in used, I recommend that you re-enable the 'tcp-reject-non-syn' as soon as possible and not leave it off for long.  You should re-design the network to separate the user and DMZ zones into its own L3 zone, and remove the L2.  This will permit you to enforce 'tcp-reject-non-syn' for security reason.

Thanks.

  • 1 accepted solution
  • 4890 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!