Looking for some rule guidance

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Looking for some rule guidance

L1 Bithead

Hello all,

 

I'm trying to get some access restricted to a few subnets that fall into our /16 range that we currently have in our Palo. The way it would look is we would have 2 subnets smack in the middle of the /16 that we only want to allow access to a handful of hosts in that subnet, yet block everything else in that range. To explain it clearer, we currently have access from our DC servers to all the subnets contained within a superset of 192.168.0.0/16. That means the DC's can get to all hosts behind this range and do what they need to. It's been determined that a couple of /24's need to have access restricted to them, say the 192.168.2.0/24, and 192.168.100.0/24 range, allowing the DC's to access a few hosts in those ranges excluding the remainder of hosts in 192.168.2.0, and 192.168.100.0. Everything else would remain the same. The way I've figured to do it is to clone the rule and do some subnetting that allows that same access, but carves around the 192.168.2.0, and 192.168.100.0 subnets, except those hosts in those ranges. Would that be how you guys tackle that, or is there a cleaner way to do it that I'm not thinking of? Any guidance is appreciated, thank you!

3 REPLIES 3

Cyber Elite
Cyber Elite

@John_Braswell,

Before we start looking at the rule are you even sure it'll work and would actually traverse the firewall. Depending on your larger network configuration this may not function regardless of what security policies you make. 

Yes, I'm sure it would. The firewall is the gateway for the DC's and they reach out to other subnets, the /16 is subnetted into several dozen networks, all in different security zones and even across different geographical locations. As far as working, it *should*, but I'm not certain it will.

And the answer was right in my face. The subnets I need to exclude are in the same security zone, so I can make a rule the specifically says talk to these hosts in that zone, then a general rule that calls all of my other zones, without the zone in the previous rule, and that should kill the unwanted access. Sometimes it helps to just talkit out. Thanks everybody!!

  • 2333 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!