05-10-2013 12:24 PM
All
I only setup Vwire and Zone, Each zone has one interface. we have a few (5)zones. For example
zone1=interface1
zone2=interface2, etc
so user started ftp session, it will pass two zones Z1-Z2--->Z3-Z4---->ftp.sample.com, so we see two sessions for same connections. Two sessions will be contributed to connection tables. PA will inspect twice. Is there better way to configure PA
Can we put more than 1 interface in Zone ?
Zone 4=interface 2
Zone 1=interface 1,5,7
This may help double sessions but not sure if there is production deployment in real network
05-10-2013 09:09 PM
How do you mean that you see two sessions?
FTP always uses two sessions, one for the cmd-channel and one for the data-channel (where listing a directory content is part of the data-channel).
But to answer your question, yes it should be possible to have multiple interfaces in the same zone. A zone is nothing more than a mapping between the security policy itself and the physical interface(s).
05-10-2013 09:09 PM
How do you mean that you see two sessions?
FTP always uses two sessions, one for the cmd-channel and one for the data-channel (where listing a directory content is part of the data-channel).
But to answer your question, yes it should be possible to have multiple interfaces in the same zone. A zone is nothing more than a mapping between the security policy itself and the physical interface(s).
05-10-2013 10:59 PM
Yes, multiple interfaces in a Zone are completely fine and will solve the multiple session issue you are seeing. Many customers do this today, even in Vwire mode.
Cheers,
Kelly
05-13-2013 09:20 AM
Thank you for the help. Two sessions means two Session IDs due to traffic passing PA device twice.
05-13-2013 09:29 AM
Thank you Kelly. Is there guide (not admin guide) to configure multiple interfaces in a zone. For example, zone 1=ingress interface and zone 2= egress interface, or it can be mixed. Traffic from wan X enter interface 1 and exit interface 2 (WAN y will be interface 5, 6) and then enter interface 3 and exits interface 4 before they get on internet. Can I set up my zone
Zone in=interface 1 and 5
Zone out=interface 4
so FTP (e.g) enter interface 1 and 5 and exit interface 4 will have only one session. On the other hand, I do not see anything wrong with two sessions per Application. but Firewall may be overloaded due to double inspection. I asked support some questions. i was told they need to talk with team to get back to me.
Daniel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
