Showing results for 
Show  only  | Search instead for 
Did you mean: 


L4 Transporter

Basic trust to untrust policy I see internal address sending snmp to addresses like, 192.168.1.x.


Do people create a policy to block internal traffic going to RFC1918 on the untrusted interface?


Cyber Elite
Cyber Elite

I usually block trust to untrust RFC1918.

Although ISP routers drop it anyway I like to keep it clean.

It is really common for many applications like Skype for example to scan internal ranges for peers.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Do you have the one line policy.


Trust to untrust  ( the builtin PAN addresses appear confusing.


TrRUST or INSIDE zones



  •  (10/8 prefix)
  •  (172.16/12 prefix)
  • (192.168/16 prefix)

Action Block/deny

This is  the first policy I believe

Cyber Elite
Cyber Elite


If you follow a DENY ALL allow by exception methodology, just put a DENY ALL policy at the bottom of the Security Policies. This way only traffic that you 'allow' is allowed to go between zones, etc.



  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!