Intrazone Rules

L4 Transporter

Intrazone Rules

Hey guys,

I took over a Palo Alto Firewall and I noticed that there is a intrazone allow rule at the end for every single internal zone.

So source zone: internal zone xy

source address: any

destination zone: internal zone xy

dest address: any

application: any

Action: allow


these intrazone allow rules are placed before the intrazone default deny rule.


What do I need these intrazone allow rules for?

Tags (1)
L7 Applicator

this may be legacy or possibly for logging reasons, or maybe a few zones are excempt from the intrazone policies ?

the default setting for the implied intrazonme policy at the endis to allow, so if yours is a deny, the previous admin changed that



The intrazone policy is used for any 'zoneX to zoneX' traffic, this could be traffic bouncing off an interface (lan1 to lan2 with a router in between) or ping/mgmt connections to the interface, proxyDNS connections, or multiple interfaces sharing a zone


you can also combine all the zones in one intrazone policy as the 'type' of intrazone will prevent bleeding


check out this blurb: What’s this security policy ‘type’ thing anyway?


Tom Piens -
Like my answer? check out my book!
Cyber Elite

I've seen other admins do this for logging purposes instead of modifying the default rules to log; talking to them some found this easier and others didn't know that you could modify the default rules at all. Maybe your old admin had them for the same reason? 

L4 Transporter

@BPry @reaper

I see you can designate security policies as intrazone, can this be used to block traffic from one specific server in one subnet to another server in another subnet but the same zones? 

Cyber Elite


So this really depends on the network and how it's actually setup. If the firewall sees the traffic, then you can interact with it exactly the same as you would a normal security policy. 

Keep in mind however that if these aggregate on something such as a core/aggregation switch, you may not actually see the traffic pass on the firewall. 

L4 Transporter


Well I did a ping and a trace route to the server on the same security zone but different subnets and the trace route showed one hop and it was to the server I don't want it to get to and the ping also reached it. When I look in the traffic logs I don't see any traffic going across the firewall. I think some thing are aggregated and from what I read the type of rule we are using is a universal rule so that should cover all types of rules including interzone and intrazone so changing it to intrazone would make no difference. Anyway you can block traffic that the PA does not see

Cyber Elite


I'd first verify that you are logging the intrazone-default policy, as by default these aren't set to log anything. However if you aren't seeing the traffic you would have to block this at the switch level, as that's where the traffic would be processing. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!