Policies with any zone in source and destination

Reply
Highlighted
L1 Bithead

Policies with any zone in source and destination

While migrating from checkpoint to Palo Alto after defining zones and interface.

Can I simply use any in source and destination zone and create policies with specific objects in source/destination address.

Will it work, for replicating same policies while migrating from checkpoint to Palo Alto.

Highlighted
L3 Networker

You can do that, however I would recommend scoping the policies down as much as you can. We also migrated from CP and ended up with some pretty silly policies that had to be tuned. each column in the policy is going to strengthen your security stance so the more the merrier I say!

 

instead of using any any in the zones I would recommend putting each zone that needs that traffic in there, this will also prevent you from unintentionally allowing any zones that are added later you may not want to allow for said policies. 

Highlighted
Cyber Elite

@Vikram511,

I'm a huge fan of actually never using 'any' for a zone in the rulebase. That can cause issues down the road as you expand your use of zones and grant unknown additional access that you probably didn't intend for. Best to always specify the zones individually. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!