09-06-2024 02:24 AM
Hi All,
Using Panorama (10.1.x) with a number of managed FWs
we have a shared pre policy, parent pre policy and child policies with pre rules configured within.
goal - in event of a security incident on a branch location we want to have a pre-defined deny rule in the parent pre-policy in place that we can just enable and push down to a specific FW that will invoke this deny rule on this FW only...example:
"src zone: any > dst zone: untrust > action deny"
So i want to add a deny rule (will be disabled by default) on my parent pre policy that when enabled, will be targeted to a specific FW and committed.. so then it only applies and enables in on the target FW.
however all the FWs managed has different naming conventions for zones ie sitea_zone_trust, siteb_zone_trust etc..
instead of creating multiple policies in the parent pre rule defining each zone name.. is there a way i can do the following..
when enabling the parent pre policy deny rule.. and selecting the target for it, then to commit it to the FW but then for the FW to automatically ingest the source zone as siteb_trust for instance when the parent pre rule has 'any' defined for this rule?
thanks in adv
09-06-2024 07:10 AM
If zone names are different then use source address.
So assuming source zone that you want to block is siteb_trust and subnet used is 10.5.5.0/24 then push policy to firewall with source zone any source address 10.5.5.0/24
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
