02-25-2014 05:12 AM
The Shared Policy option in Panorama is most useful, however I have found an issue with it which I think could be resolved in one of two ways, what I need to know is do either of these two ways exist?
Scenario
When using the Panorama Shared Policy to push single policy to three different FW layers I need to include the Source and Destination Zone of all three firewalls.
Below is an example of a single policy with the necisary source and destination zones. The firewall column is for referance only
Policy 1
Firewall Source Zone Destination Zone
Core Inside Outside
Perimeter Trust RemoteVPN
Remote HQVPN Internal
Issue
When pushing the above policy I get commit errors on all 3 firewalls for 4 of the zone not recognised.
As one of the FWs is a 5050 with 70 zones configured and one is a 3020 with a zone limit of 40 how can I remove this check or get the panorama to only push the zones that exist on the fw?
Solution
1. Is there an option to turn of the zone policy check on the FW?
2. Is there an option like Share Unused Address and Service Objects with Devices that I can check or uncheck so before sending the policy the panorama will check to see if the zone exists and if not remove the zone from the policy push?
I appriciate your input and any comments/workarounds from SEs as to if there are existing FRs for this issue?
02-25-2014 06:14 AM
Hello CHammock
Have you tried to use the Target field in each security rule. In this field we only select those firewalls where the change is destined so that we are specifically making some changes to certain firewalls and some other changes to another set of devices so there is no commit errors for unknown zones.
Thanks
02-25-2014 06:31 AM
To clarify the example above is a single policy with three source zones and three destination zones pushed to three firewalls
I want this policy to push to all three firewalls, I need it to exist on all three firewalls as traffic will traverse all three firewalls. My issue is that the zones I define in the policy needs to exist before it will commit to the FWs. What I need is a way of either switching off the zone check during the commit process or something where by the panorama only pushes the zone names that exist on each firewall.
To try and clarify the topology.
If I want to get traffic from the Inside of the Core FW to the Internal on the Remote FW traffic flow will be.
1. Inside of the Core FW to Outside of the Core FW
2. Trust of the Perimeter FW to RemoteVPN of the Perimeter FW
3. HQVPN of the Remote FW to Internal of the Remote FW
This could be covered by a single shared policy as below, obviously I have omited ips, services and apps to avoid confusion
Policy 1
Source Zone Destination Zone
Inside Outside
Trust RemoteVPN
HQVPN Internal
02-25-2014 07:40 AM
I see that all the zones are defined in single rule and this single rule is planned to be pushed to all firewalls.
At present this is not possible for the reason that the firewall expects a zone to be added only if it is defined locally else it gets the commit errors.
Out of the 2 solutions provided by you,
1. Is there an option to turn of the zone policy check on the FW?
A. I think this is not feasible as zones play major role in deciding traffic flow and action so zones will be checked.
2. Is there an option like Share Unused Address and Service Objects with Devices that I can check or uncheck so before sending the policy the panorama will check to see if the zone exists and if not remove the zone from the policy push?
A. This options seems interesting where panorama checks to see if the end firewall does not have the configured zones remove locally on panorama or may be the feature can be checked locally at firewall.
For this we can approach SE for feature request. That would be the best bet.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
