Intrazone-default rule

Reply
Highlighted
L1 Bithead

Intrazone-default rule

Hello,

 

I would like some advice on Palo Alto's default intrazone-default rule.  Unless I have a drop any any above this rule I see IP's from all over the public internet hitting my Palo Alto and being accepted on the intrazone rule as the traffic is from zone outside to zone inside. 

 

I want all of these random public IP's to be blocked and not accepted by the firewall.  In one of the training modules I went through it was mentioned that adding a drop any rule above the default rule could make the firewall not function correctly and legitimate traffic may be dropped that is needed.

 

What is the best practice on this.  What are others doing, adding a drop any any, or letting the intrazone-default accept traffic on the outside interface? 

Highlighted
L3 Networker

Re: Intrazone-default rule

Hello @mjensen40400 

In the post-rules (managing the firewalls via Panorama), we drop traffic from the Internet. Traffic from inside gets rejected (to let the client know that the connection is not possible, instead of letting it wait for a timeout). We don't use of the pre-defined interzone-default and intrazone-default rules, all traffic is denied at the end.

The policies which grant the necessary traffic is places in the pre-rules (in other words: above the post-rules / the deny rules). Access to the firewall itself (e.g. Global Protect Portal, ...) needs to be granted explicit.

Summary: all allow rules are placed in the pre-rules, all deny rules are placed in the post-rules.

Highlighted
L5 Sessionator

Re: Intrazone-default rule

@JoergSchuetter,

 

If you put any any blocked rule above default rules, it will block legitimate traffic like traffic between trust-to-trust or LAN-to-LAN as you have kept any-to-any zone blocked and this rule will get matched before default rule.

 

Best Practice would be -

 

If you want to block traffic from untrust-to-untrust which is getting matched due to intrazone default allowed, put one rule at the end like,

SZONE untraust -to- DZONE untrust --drop

 

So unwanted traffic which is getting matched currently  will get dropped.  But if you have any IPSEC tunnel configured on this firewall, please make sure you add explicit policy above this rule to match communication between peer IP addresses as it uses default intrazone policy normally.

This way, you can block unwanted traffic which is getting allowed currently without creating any impact on legitimate traffic.

 

Hope it helps!

 

Mayur



Mayur Sutare
Highlighted
L7 Applicator

Re: Intrazone-default rule

Hmmm... not sure if I am reading your thread correctly but the intrazone-default policy will not allow traffic from zone outside to zone inside.

 

But of course... i have read it so many times... I may have confused myself.

 

 

Highlighted
L5 Sessionator

Re: Intrazone-default rule

@MickBall ,

 

I am talking about intrazone rule which allows traffic between same zone like outside to outside but not outside to inside.

@JoergSchuetter Intrazone default will not allow traffic from outside to inside zone for sure.

Mayur



Mayur Sutare
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!