Security Policy Exception

cancel
Showing results for 
Search instead for 
Did you mean: 

Security Policy Exception

L3 Networker

Has Palo Alto looked into the capability for security policies to be built using an exception based logic. For example:

 

Src: 10.0.0.0/8 (except) 10.100.0.0/24 Dst: ** App: ** etc.... This would then allow all 10. traffic except for the 10.100.0.0/24 subnet

 

This is a function available in Checkpoint and some other platforms that has been very helpful, especially in preventing our policies from being filled with random drop rules.

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions

if your source zone consists of only 10.0.0.0/8, what you could do is put a source IP of 10.100.0.0/24 and check the negate option. that way the policy will only apply to IPs sourced from that zone that are NOT in the 10.100.0.0/24 range.

 

Capture.JPG

 

 

 

 

--
CCNA Security, PCNSE7

View solution in original post

2 REPLIES 2

L4 Transporter

I can't speak to what Palo Alto has considered, of course, but is this mostly just a convenience thing to prevent the creation of two firewalls rules?

 

i.e.

  1. Deny 10.100.0.0/24
  2. Allow 10.0.0.0/8

I'm sitting her smiling imagining having all of that in one rule and someone else looking at the logs and, based on how I've been naming things, scratching their head wondering why an IP in 10.100.0.0/24 is being denied by "Allow Internal Ranges to X Server".

if your source zone consists of only 10.0.0.0/8, what you could do is put a source IP of 10.100.0.0/24 and check the negate option. that way the policy will only apply to IPs sourced from that zone that are NOT in the 10.100.0.0/24 range.

 

Capture.JPG

 

 

 

 

--
CCNA Security, PCNSE7

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!