05-18-2017 07:45 AM
If you enter a specific source zone but any for the source address what traffic is really allowed? Does is only allow addresses that are listed in the specified zone or is it truly any IP address?
05-18-2017 07:53 AM - edited 05-18-2017 08:10 AM
Zone => Palo Interface (s) => any ip that Palo sees coming into this interface (s) is allowed.
05-18-2017 08:49 AM
but you can limited the IP ranges inside the zone configuration can't you
05-18-2017 08:55 AM - edited 05-18-2017 08:57 AM
Sure you can limit address based on single ip address, address groups or subnets etc.
05-18-2017 11:05 AM
So it would be any of the IP addresses assigned in the specific Zone, not just any of all IP's
05-18-2017 11:11 AM - edited 05-18-2017 11:18 AM
A good rule of thumb is to never use ANY as a source address unless you actually need to. For example your Trust zone rules should at the very least be limited to IP addresses that you actually assign from that zone.
Also to be clear, if you use ANY then it allows exactly that, you don't need to assign the IP to that zone for it to be allowed.
05-18-2017 11:39 AM - edited 05-18-2017 12:37 PM
as @BPry has mentioned already any means from anywhere, even from the different subnet. A good example is DNAT. You allow any ip from the lnternet to access your internal server. So in your policy, you configuring ANY as a source ip going to untrust zone. Let's say your untrust interface has 92.16.0.1/24 ip address assigned. ANY means any ip addresses, even outside of this subnet are allowed (e.g 84.8.9.1, 74.8.6.1 etc).
05-19-2017 12:26 PM
these rules were migrated over from and ASA 5510 before I even got here, and I agree the fewer the any's the better. But if you have a range of IP's addressed to the Source Zone, doesn't the any under IP addresses only mean any of the IP's configured on the Zone?
05-19-2017 12:39 PM - edited 05-19-2017 12:55 PM
No, a zone is a logical area and you will have at least one interface in that zone. So you have one interface in the zone. That interface connected to the router, then we do have another router and so on. Routers always interconnect networks (different networks/subnets). With configuration "any" firewall will allow any source ip coming into that interface, as l said earlier even from the outside of the interface subnet. If you have multiple interfaces withing the same zone, any ip outside the zone. So ip address not necessarily should be directly connected to the PA, but logically they will be in the same zone.
05-19-2017 12:58 PM
It also depends on your routing table.
So let's assume you have interface eth1/1 in zone "INTERNAL". All your internal networks are somewhere in 10.0.0.0/8 and are reachable through an internal router. To keep the routing easy you have one route for the 10.0.0.0/8 network towards your router.
Now if there somehow traffic from 192.168.100.100 arrives at your firewall on eth1/1 (Zone INTERNAL), then this traffic is not allowed even you have allowed "any" in the source address column and INTERNAL as source zone in your security policy. This packet (and everything else which does not come from 10.0.0.0/8) will get dropped as ip spoof attack.
05-20-2017 08:06 PM - edited 05-20-2017 08:07 PM
To be exact IP spoof attack is not detected by default but only if zone protection is applied to the zone and ip spoof checkbox checked (it is best practice to have it configured).
05-21-2017 12:35 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
