Stupid question time........

Reply
Highlighted
L2 Linker

Stupid question time........

Let's say I have an objected named "Pizza" with an ip of 10.10.10.10/32 and it is in use on a security rule.

I create another object named "Pizza1" with an ip of 0.10.10.10/32 and use it in a different security rule.

 

Could that create a problem with the first rule assuming different let's say destinations or APP-ID/Ports?


Accepted Solutions
Highlighted
Cyber Elite

@MrWonderful 

right, I kind of assumed that you had. Again, it doesn’t matter. You could have 50 address objects with different names all assigned the same address, and the firewall won’t care. When it compiles the configuration all of those objects simply get replaced with the address you have specified in the configuration.

So really as far as the firewall is concerned, anything that you’ve specified as Pizza is just going to be replaced with 10.10.10.10/32 and anything with Pizza1 is going to be replaced with whatever you’ve configured for that object. The fact that you have multiple objects mapped to the same value doesn’t effect that process at all. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@MrWonderful,

Nope. The objects are actually replaced in the configuration as far as the firewall is concerned. So your firewall doesn't read the configuration as "Pizza" is allowed to send DNS requests to 8.8.8.8, it actually replaces the object with the actual address so it looks at is as "10.10.10.10/32" is allowed to send DNS requests to 8.8.8.8. 

Highlighted
L2 Linker

@BPry 

Sorry, I just saw I fat fingered my question:

Let's say I have an objected named "Pizza" with an ip of 10.10.10.10/32 and it is in use on a security rule.

I create another object named "Pizza1" with an ip of 10.10.10.10/32 and use it in a different security rule.

 

So same IP, different name.  How does the the Palo handle this?

Highlighted
Cyber Elite

@MrWonderful 

right, I kind of assumed that you had. Again, it doesn’t matter. You could have 50 address objects with different names all assigned the same address, and the firewall won’t care. When it compiles the configuration all of those objects simply get replaced with the address you have specified in the configuration.

So really as far as the firewall is concerned, anything that you’ve specified as Pizza is just going to be replaced with 10.10.10.10/32 and anything with Pizza1 is going to be replaced with whatever you’ve configured for that object. The fact that you have multiple objects mapped to the same value doesn’t effect that process at all. 

View solution in original post

Highlighted
L2 Linker

@BPry Just so I understand you correctly, the Palo basically treats each object individually within each rule set.

 

So that Pizza with a 10.10.10.10/32 in rule number one doesn't get confused with Pizza1 with a 10.10.10.10/32 in rule number two and wouldn't get confused with Pizza2 with a 10.10.10.10/32 in rule number three and so on, correct?

Cyber Elite

@MrWonderful,

Correct. The firewall will simply replace the object with its configured value. The fact that you have multiple objects with the same configured value has no effect on that.

Highlighted
L7 Applicator

@MrWonderful one nuance though in this specific line of questioning

Bear in mind that the firewall will not distinguish between pizza and pizza1 when it comes down to matching security rules because both have the same IP address and this is the only thing the running configuration really cares about.

This means that in this specific case both pizza and pizza1 will be hitting the same rules, even though only 1 of them may be listed in the rule

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!