Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-09-2017 04:57 AM
This is a problem for other vendors (and something must be enabled/configured to allow this to occur).
Have not tried this in PANOS, but wondering if this just works or is it a similar scenario where you must enable something in PANOS ?
01-09-2017 05:53 AM
@mpgioia The Palo Alto looks strictly at zones and not interfaces when it comes to security profiles. Same interface traffic is looked at the same as intrazone traffic. The only thing that you really have to do is to verify that your static routes and security policies are setup in a way that this actually functions.
01-09-2017 07:59 AM - edited 01-09-2017 07:59 AM
TranceforLife wrote:
Hi,
If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.
If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:
Thx,
Myky
that's incorrect, intrazone traffic has always been allowed. PAN-OS 6.1 just made the policies visible 🙂
Depending on what you're trying to accomplish, you may need U-turn NAT to force returning packets back to the firewall interface so sessions process both directions of the flow: How to Configure U-Turn NAT
other than that there's no restrictions in bouncing traffic back out of the same interface
01-09-2017 05:02 AM
Hi,
If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.
If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:
Thx,
Myky
01-09-2017 05:07 AM
In other vendors. ZONE and INTERFACE are two disinct things.
The INTRA-zone is not an issue, but INTRA-interface tends to be an issue and the capability to forward traffic (such that it INGRESSES and EGRESSES out the same interface) must be something explicitly enabled. but INTRA-zone tends to just work.
So.. is this 2 x distinct different things in PANOS also like other vendors.. or is ZONE and INTERFACE almagamated into the same thing in their OS architecture based on your reply ?
01-09-2017 05:14 AM
Hi,
Cisco ASA is interface based firewall and work a bit in different way then zone based firewall (PA, Juniper SRX ect).
If we are talking about PA, every interface beloning to the zone (only one zone). So if you want to permit same zone trafic (lets say one inreface configured in the zone OUTSIDE) you have to have a policy in place
01-09-2017 05:53 AM
@mpgioia The Palo Alto looks strictly at zones and not interfaces when it comes to security profiles. Same interface traffic is looked at the same as intrazone traffic. The only thing that you really have to do is to verify that your static routes and security policies are setup in a way that this actually functions.
01-09-2017 06:08 AM - edited 01-09-2017 06:09 AM
01-09-2017 07:59 AM - edited 01-09-2017 07:59 AM
TranceforLife wrote:
Hi,
If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.
If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:
Thx,
Myky
that's incorrect, intrazone traffic has always been allowed. PAN-OS 6.1 just made the policies visible 🙂
Depending on what you're trying to accomplish, you may need U-turn NAT to force returning packets back to the firewall interface so sessions process both directions of the flow: How to Configure U-Turn NAT
other than that there's no restrictions in bouncing traffic back out of the same interface
01-09-2017 03:34 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
