This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

security policy between layer 2 zones

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

security policy between layer 2 zones

Go to solution
LionKin1984
L1 Bithead

‎12-10-2019 07:21 AM

Hi, I am new to Palo Alto, so this might be a dumb question, below is the setup I have been trying to get it to work -

  1. two layer2 zones; Zone1 and Zone2
  2. three PCs, PC1; PC2 and PC3
  3. PC1 in Zone1
  4. PC2 and PC3 are in Zone2
  5. all three PCs are on the same subnet

question: I am trying to create a security policy to only allow PC1 to talk to PC2, and deny everything else

 

is it doable? 

 

Thanks

 

1 accepted solution

Accepted Solutions

Go to solution
SCantwell_IM
Cyber Elite
Cyber Elite
In response to LionKin1984

‎12-12-2019 01:19 PM

Hello.

 

Making progress though right?  😛  Not really.

I think I realized that I isolated you now, with vlan10 and vlan20 not being able forward arp/broadcast traffic.

 

So... back to original idea of 2 ports in a single L2 vlan on the FW.

 

So if PC1 is on port1 and PC2 is on port2 (both ports in same vlan on FW) then the following should happen.

 

PC1 attempts to ping PC2.

Not knowing his L2 mac address, he will arp out (broadcast)

Traffic ingress switch, egresses out the trunk port.

Aggregation switch should fwd (untagged tag) packet to port1 of FW.

FW will/should allow broadcast to go out port2 and reverse down trunk to PC2.

 

Once arp resolution is determined, then security policy should be something like like

 

SZ (fw_vlan) SA (PC1) ==> to DZ (fw_vlan) DA (PC2) ==> app of ping ==> application-default a ==> ALLOW

next rule is

SZ (fw_vlan) SA (PC1) ==> to DZ (fw_vlan) DA (ANY) ==> ANY ==> ANY  ==> DENY

 

If you missed this rule, then the intrazone rule is what you hit and allowed you  to ping PC3

 

 

This may be exactly what you had (and I would apologize for going down a rabbit hole... 😛

 

You would need to look at your traffic log to see/confirm that the traffic from PC1 is hitting PC2 and also confirm.if traffic is passing and then denying for PC1 to PC3 traffic.

 

Let us know. 

 

 

Help the community: Like helpful comments and mark solutions

View solution in original post

6 REPLIES 6

Go to solution
SCantwell_IM
Cyber Elite
Cyber Elite

‎12-10-2019 08:23 AM

Not a dumb question at all... let's review some info, and set expectations.

 

PC1 is in Zone1.

PC2 is in Zone2

 

You did not mention at what layer (VWire, Layer2, or Layer3 interface) you are doing your routing (if any)

 

If all PCs are plugged into a switch (downstream from FW), then the switch will intercept the arps and the FW will not be an inspection point.

 

You can plug PC1 physically into a port assigned to Zone1 (and do the same for PC2, assigned to Zone2) and now, the firewall would inspect traffic between both PCs.

 

Ideally... PC1 in Zone1, should be a different subnet than PC2/PC3, so that the FW is the default gateway (at L3) to route and inspect/allow traffic to PC2 and deny traffic to PC3.

 

To summarize, the FW must see the traffic ingressing to the Zone1. 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

Go to solution
LionKin1984
L1 Bithead
In response to SCantwell_IM

‎12-11-2019 12:48 AM

Hi Steve, thanks for you reply, we cant change the IP addresses of the devices hence we have to use layer2 ...

 

There are two Cisco switches

Switch 1, where all PCs are connected to, two VLANs created on this switch: -

PC1 is in VLAN10
PC2 and PC3 are in VLAN20

Aggregation Switch

VLAN10 and VLAN20 are ‘Trunked’ to the aggregation switch.

Access ports are used to connect aggregation switch to the firewall

Two Layer 2 interfaces created on the firewall (one for VLAN10, one for VLAN20)

Two Layer 2 zones created on the firewall

One VLAN created on the firewall and both Layer 2 interfaces are in this VLAN

Security policy (universal) created and worked between two Layer 2 zones but everything can talk to everything between zones which is no what I want, I only want PC1 to talk to PC2 and deny everything else

ilayer 2 policy.png

Please find attach image for reference.

 

Thanks

Go to solution
SCantwell_IM
Cyber Elite
Cyber Elite
In response to LionKin1984

‎12-11-2019 10:53 AM

Hello

 

Your issue is that you created a single vlan on the FW, and associated both interfaces to that vlan.

The put the zones into the same vlan.

 

You should create 2 vlans on the FW and put vlan10 in PC1 zone, and vlan20 onto PC2

 

SteveCantwell_0-1576090398041.png

 

 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

Go to solution
LionKin1984
L1 Bithead
In response to SCantwell_IM

‎12-12-2019 12:17 AM

Hi Steve, I have created two VLANs and a layer 2 security policy on the firewall, now they cant ping each other ... 

0 Likes Likes

Go to solution
SCantwell_IM
Cyber Elite
Cyber Elite
In response to LionKin1984

‎12-12-2019 01:19 PM

Hello.

 

Making progress though right?  😛  Not really.

I think I realized that I isolated you now, with vlan10 and vlan20 not being able forward arp/broadcast traffic.

 

So... back to original idea of 2 ports in a single L2 vlan on the FW.

 

So if PC1 is on port1 and PC2 is on port2 (both ports in same vlan on FW) then the following should happen.

 

PC1 attempts to ping PC2.

Not knowing his L2 mac address, he will arp out (broadcast)

Traffic ingress switch, egresses out the trunk port.

Aggregation switch should fwd (untagged tag) packet to port1 of FW.

FW will/should allow broadcast to go out port2 and reverse down trunk to PC2.

 

Once arp resolution is determined, then security policy should be something like like

 

SZ (fw_vlan) SA (PC1) ==> to DZ (fw_vlan) DA (PC2) ==> app of ping ==> application-default a ==> ALLOW

next rule is

SZ (fw_vlan) SA (PC1) ==> to DZ (fw_vlan) DA (ANY) ==> ANY ==> ANY  ==> DENY

 

If you missed this rule, then the intrazone rule is what you hit and allowed you  to ping PC3

 

 

This may be exactly what you had (and I would apologize for going down a rabbit hole... 😛

 

You would need to look at your traffic log to see/confirm that the traffic from PC1 is hitting PC2 and also confirm.if traffic is passing and then denying for PC1 to PC3 traffic.

 

Let us know. 

 

 

Help the community: Like helpful comments and mark solutions

Go to solution
LionKin1984
L1 Bithead
In response to SCantwell_IM

‎12-13-2019 12:55 AM

Thanks again for you reply Steve, that makes lot of sense.

 

with your help, i have managed to get it sorted, i created the rules as you suggested and also created three 'objects', however i messed up with the mask when creating the network object (instead of 10.10.10.1/32 I put it down as 10.10.10.1/24 (whole subnet...), school boy error I know)

 

Thanks

0 Likes Likes
  • 1 accepted solution
  • 5558 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks