Intrazone-default rule

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Intrazone-default rule

L1 Bithead



I would like some advice on Palo Alto's default intrazone-default rule.  Unless I have a drop any any above this rule I see IP's from all over the public internet hitting my Palo Alto and being accepted on the intrazone rule as the traffic is from zone outside to zone inside. 


I want all of these random public IP's to be blocked and not accepted by the firewall.  In one of the training modules I went through it was mentioned that adding a drop any rule above the default rule could make the firewall not function correctly and legitimate traffic may be dropped that is needed.


What is the best practice on this.  What are others doing, adding a drop any any, or letting the intrazone-default accept traffic on the outside interface? 


L4 Transporter

Hello @mjensen40400 

In the post-rules (managing the firewalls via Panorama), we drop traffic from the Internet. Traffic from inside gets rejected (to let the client know that the connection is not possible, instead of letting it wait for a timeout). We don't use of the pre-defined interzone-default and intrazone-default rules, all traffic is denied at the end.

The policies which grant the necessary traffic is places in the pre-rules (in other words: above the post-rules / the deny rules). Access to the firewall itself (e.g. Global Protect Portal, ...) needs to be granted explicit.

Summary: all allow rules are placed in the pre-rules, all deny rules are placed in the post-rules.

Cyber Elite
Cyber Elite



If you put any any blocked rule above default rules, it will block legitimate traffic like traffic between trust-to-trust or LAN-to-LAN as you have kept any-to-any zone blocked and this rule will get matched before default rule.


Best Practice would be -


If you want to block traffic from untrust-to-untrust which is getting matched due to intrazone default allowed, put one rule at the end like,

SZONE untraust -to- DZONE untrust --drop


So unwanted traffic which is getting matched currently  will get dropped.  But if you have any IPSEC tunnel configured on this firewall, please make sure you add explicit policy above this rule to match communication between peer IP addresses as it uses default intrazone policy normally.

This way, you can block unwanted traffic which is getting allowed currently without creating any impact on legitimate traffic.


Hope it helps!




L7 Applicator

Hmmm... not sure if I am reading your thread correctly but the intrazone-default policy will not allow traffic from zone outside to zone inside.


But of course... i have read it so many times... I may have confused myself.



@MickBall ,


I am talking about intrazone rule which allows traffic between same zone like outside to outside but not outside to inside.

@JoergSchuetter Intrazone default will not allow traffic from outside to inside zone for sure.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!