Source zone - source address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Source zone - source address

L4 Transporter

If you enter a specific source zone but any for the source address what traffic is really allowed? Does is only allow addresses that are listed in the specified zone or is it truly any IP address?

11 REPLIES 11

L6 Presenter

Zone => Palo Interface (s) => any ip that Palo sees coming into this interface (s) is allowed.

but you can limited the IP ranges inside the zone configuration can't you

Sure you can limit address based on single ip address, address groups or subnets etc.

So it would be any of the IP addresses assigned in the specific Zone, not just any of all IP's

@jdprovine,

A good rule of thumb is to never use ANY as a source address unless you actually need to. For example your Trust zone rules should at the very least be limited to IP addresses that you actually assign from that zone.

Also to be clear, if you use ANY then it allows exactly that, you don't need to assign the IP to that zone for it to be allowed. 

as @BPry has mentioned already any means from anywhere, even from the different subnet. A good example is DNAT. You allow any ip from the lnternet to access your internal server. So in your policy,  you configuring ANY as a source ip going to untrust zone. Let's say your untrust interface has 92.16.0.1/24 ip address assigned. ANY means any ip addresses, even outside of this subnet are allowed (e.g 84.8.9.1, 74.8.6.1 etc).

these rules were migrated over from and ASA 5510 before I even got here, and I agree the fewer the any's the better.  But if you have a range of IP's addressed to the Source Zone, doesn't the any under IP addresses only mean any of the IP's configured on the Zone?

No, a zone is a logical area and you will have at least one interface in that zone. So you have one interface in the zone. That interface connected to the router, then we do have another router and so on. Routers always interconnect networks (different networks/subnets).  With configuration "any" firewall will allow any source ip coming into that interface, as l said earlier even from the outside of the interface subnet. If you have multiple interfaces withing the same zone, any ip outside the zone. So ip address not necessarily should be directly connected to the PA, but logically they will be in the same zone.

It also depends on your routing table.

 

So let's assume you have interface eth1/1 in zone "INTERNAL". All your internal networks are somewhere in 10.0.0.0/8 and are reachable through an internal router. To keep the routing easy you have one route for the 10.0.0.0/8 network towards your router.

Now if there somehow traffic from 192.168.100.100 arrives at your firewall on eth1/1 (Zone INTERNAL), then this traffic is not allowed even you have allowed "any" in the source address column and INTERNAL as source zone in your security policy. This packet (and everything else which does not come from 10.0.0.0/8) will get dropped as ip spoof attack.

To be exact IP spoof attack is not detected by default but only if zone protection is applied to the zone and ip spoof checkbox checked (it is best practice to have it configured).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister : of course, you're absolutely right. Sometimes the "best practices" are more/(too much) "must" settings to me 😛
  • 4878 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!