multiple interfaces in a Zone

Reply
Highlighted
L2 Linker

multiple interfaces in a Zone

All

I only setup Vwire and Zone, Each zone has one interface. we have a few (5)zones. For example

zone1=interface1

zone2=interface2, etc

so user started ftp session, it will pass two zones  Z1-Z2--->Z3-Z4---->ftp.sample.com, so we see two sessions for same connections. Two sessions will be contributed to connection tables. PA will inspect twice. Is there better way to configure PA

Can we put more than 1 interface in Zone ?

Zone 4=interface 2

Zone 1=interface 1,5,7

This may help double sessions but not sure if there is production deployment in real network


Accepted Solutions
Highlighted
L6 Presenter

Re: multiple interfaces in a Zone

How do you mean that you see two sessions?

FTP always uses two sessions, one for the cmd-channel and one for the data-channel (where listing a directory content is part of the data-channel).

But to answer your question, yes it should be possible to have multiple interfaces in the same zone. A zone is nothing more than a mapping between the security policy itself and the physical interface(s).

View solution in original post


All Replies
Highlighted
L6 Presenter

Re: multiple interfaces in a Zone

How do you mean that you see two sessions?

FTP always uses two sessions, one for the cmd-channel and one for the data-channel (where listing a directory content is part of the data-channel).

But to answer your question, yes it should be possible to have multiple interfaces in the same zone. A zone is nothing more than a mapping between the security policy itself and the physical interface(s).

View solution in original post

Highlighted
L4 Transporter

Re: multiple interfaces in a Zone

Yes, multiple interfaces in a Zone are completely fine and will solve the multiple session issue you are seeing.  Many customers do this today, even in Vwire mode.

Cheers,

Kelly

Highlighted
L2 Linker

Re: multiple interfaces in a Zone

Thank you for the help. Two sessions means two Session IDs due to traffic passing PA device twice.

Highlighted
L2 Linker

Re: multiple interfaces in a Zone

Thank you Kelly. Is there guide (not admin guide) to configure multiple interfaces in a zone. For example, zone 1=ingress interface and zone 2= egress interface, or it can be mixed. Traffic from wan X enter interface 1 and exit interface 2 (WAN y will be interface 5, 6) and then enter interface 3 and exits interface 4 before they get on internet. Can I set up my zone

Zone in=interface 1 and 5

Zone out=interface 4

so FTP (e.g) enter interface 1 and 5 and exit interface 4 will have only one session. On the other hand, I do not see anything wrong with two sessions per Application. but Firewall may be overloaded due to double inspection. I asked support some questions. i was told they need to talk with team to get back to me.

Daniel

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!