This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Looking for some rule guidance

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Looking for some rule guidance

John_Braswell
L1 Bithead

‎08-30-2017 10:54 AM

Hello all,

 

I'm trying to get some access restricted to a few subnets that fall into our /16 range that we currently have in our Palo. The way it would look is we would have 2 subnets smack in the middle of the /16 that we only want to allow access to a handful of hosts in that subnet, yet block everything else in that range. To explain it clearer, we currently have access from our DC servers to all the subnets contained within a superset of 192.168.0.0/16. That means the DC's can get to all hosts behind this range and do what they need to. It's been determined that a couple of /24's need to have access restricted to them, say the 192.168.2.0/24, and 192.168.100.0/24 range, allowing the DC's to access a few hosts in those ranges excluding the remainder of hosts in 192.168.2.0, and 192.168.100.0. Everything else would remain the same. The way I've figured to do it is to clone the rule and do some subnetting that allows that same access, but carves around the 192.168.2.0, and 192.168.100.0 subnets, except those hosts in those ranges. Would that be how you guys tackle that, or is there a cleaner way to do it that I'm not thinking of? Any guidance is appreciated, thank you!

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎08-30-2017 11:00 AM

@John_Braswell,

Before we start looking at the rule are you even sure it'll work and would actually traverse the firewall. Depending on your larger network configuration this may not function regardless of what security policies you make. 

0 Likes Likes

John_Braswell
L1 Bithead
In response to BPry

‎08-30-2017 11:07 AM

Yes, I'm sure it would. The firewall is the gateway for the DC's and they reach out to other subnets, the /16 is subnetted into several dozen networks, all in different security zones and even across different geographical locations. As far as working, it *should*, but I'm not certain it will.

0 Likes Likes

John_Braswell
L1 Bithead
In response to John_Braswell

‎08-30-2017 11:55 AM

And the answer was right in my face. The subnets I need to exclude are in the same security zone, so I can make a rule the specifically says talk to these hosts in that zone, then a general rule that calls all of my other zones, without the zone in the previous rule, and that should kill the unwanted access. Sometimes it helps to just talkit out. Thanks everybody!!

0 Likes Likes
  • 2331 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks