Intrazone-default rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Intrazone-default rule

L1 Bithead

Hello,

 

I would like some advice on Palo Alto's default intrazone-default rule.  Unless I have a drop any any above this rule I see IP's from all over the public internet hitting my Palo Alto and being accepted on the intrazone rule as the traffic is from zone outside to zone inside. 

 

I want all of these random public IP's to be blocked and not accepted by the firewall.  In one of the training modules I went through it was mentioned that adding a drop any rule above the default rule could make the firewall not function correctly and legitimate traffic may be dropped that is needed.

 

What is the best practice on this.  What are others doing, adding a drop any any, or letting the intrazone-default accept traffic on the outside interface? 

7 REPLIES 7

L4 Transporter

Hello @mjensen40400 

In the post-rules (managing the firewalls via Panorama), we drop traffic from the Internet. Traffic from inside gets rejected (to let the client know that the connection is not possible, instead of letting it wait for a timeout). We don't use of the pre-defined interzone-default and intrazone-default rules, all traffic is denied at the end.

The policies which grant the necessary traffic is places in the pre-rules (in other words: above the post-rules / the deny rules). Access to the firewall itself (e.g. Global Protect Portal, ...) needs to be granted explicit.

Summary: all allow rules are placed in the pre-rules, all deny rules are placed in the post-rules.

L6 Presenter

@JoergSchuetter,

 

If you put any any blocked rule above default rules, it will block legitimate traffic like traffic between trust-to-trust or LAN-to-LAN as you have kept any-to-any zone blocked and this rule will get matched before default rule.

 

Best Practice would be -

 

If you want to block traffic from untrust-to-untrust which is getting matched due to intrazone default allowed, put one rule at the end like,

SZONE untraust -to- DZONE untrust --drop

 

So unwanted traffic which is getting matched currently  will get dropped.  But if you have any IPSEC tunnel configured on this firewall, please make sure you add explicit policy above this rule to match communication between peer IP addresses as it uses default intrazone policy normally.

This way, you can block unwanted traffic which is getting allowed currently without creating any impact on legitimate traffic.

 

Hope it helps!

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

L7 Applicator

Hmmm... not sure if I am reading your thread correctly but the intrazone-default policy will not allow traffic from zone outside to zone inside.

 

But of course... i have read it so many times... I may have confused myself.

 

 

@Mick_Ball ,

 

I am talking about intrazone rule which allows traffic between same zone like outside to outside but not outside to inside.

@JoergSchuetter Intrazone default will not allow traffic from outside to inside zone for sure.

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

L1 Bithead

Hello All,
Any solution for this?
Thankyou


@JPMansour wrote:

Hello All,
Any solution for this?
Thankyou


A solution for what?  Can you cite specific on what you're looking for?  The earlier comments in this almost 5 year old thread didn't always follow the right logic of "intra" and "inter."  By sharing the specific details of what you're trying to solve that would be easier to provide a response.

Cyber Elite
Cyber Elite

Hi @JPMansour ,

 

Are you asking if PANW has a recommendation for the intrazone-default rule?  Not that I know.  The NGFW will drop packets if it is not listening on the TCP/UDP port.  It will not allow pings if not enabled in the interface management profile.

 

Like some others, I desire a little more protection.  I create a universal drop rule from the outside.  It is VERY important to make sure you have allow rules for L2L VPNs, GlobalProtect, BGP, etc. before doing this.

 

Here is a thread where an engineer recommends changing the intrazone-default rule to deny, and he makes some valid points.  https://live.paloaltonetworks.com/t5/next-generation-firewall/should-i-override-the-intrazone-defaul...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 17198 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!