Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Stupid question time........

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Stupid question time........

L2 Linker

Let's say I have an objected named "Pizza" with an ip of 10.10.10.10/32 and it is in use on a security rule.

I create another object named "Pizza1" with an ip of 0.10.10.10/32 and use it in a different security rule.

 

Could that create a problem with the first rule assuming different let's say destinations or APP-ID/Ports?

1 accepted solution

Accepted Solutions

@MrWonderful 

right, I kind of assumed that you had. Again, it doesn’t matter. You could have 50 address objects with different names all assigned the same address, and the firewall won’t care. When it compiles the configuration all of those objects simply get replaced with the address you have specified in the configuration.

So really as far as the firewall is concerned, anything that you’ve specified as Pizza is just going to be replaced with 10.10.10.10/32 and anything with Pizza1 is going to be replaced with whatever you’ve configured for that object. The fact that you have multiple objects mapped to the same value doesn’t effect that process at all. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@MrWonderful,

Nope. The objects are actually replaced in the configuration as far as the firewall is concerned. So your firewall doesn't read the configuration as "Pizza" is allowed to send DNS requests to 8.8.8.8, it actually replaces the object with the actual address so it looks at is as "10.10.10.10/32" is allowed to send DNS requests to 8.8.8.8. 

@BPry 

Sorry, I just saw I fat fingered my question:

Let's say I have an objected named "Pizza" with an ip of 10.10.10.10/32 and it is in use on a security rule.

I create another object named "Pizza1" with an ip of 10.10.10.10/32 and use it in a different security rule.

 

So same IP, different name.  How does the the Palo handle this?

@MrWonderful 

right, I kind of assumed that you had. Again, it doesn’t matter. You could have 50 address objects with different names all assigned the same address, and the firewall won’t care. When it compiles the configuration all of those objects simply get replaced with the address you have specified in the configuration.

So really as far as the firewall is concerned, anything that you’ve specified as Pizza is just going to be replaced with 10.10.10.10/32 and anything with Pizza1 is going to be replaced with whatever you’ve configured for that object. The fact that you have multiple objects mapped to the same value doesn’t effect that process at all. 

@BPry Just so I understand you correctly, the Palo basically treats each object individually within each rule set.

 

So that Pizza with a 10.10.10.10/32 in rule number one doesn't get confused with Pizza1 with a 10.10.10.10/32 in rule number two and wouldn't get confused with Pizza2 with a 10.10.10.10/32 in rule number three and so on, correct?

@MrWonderful,

Correct. The firewall will simply replace the object with its configured value. The fact that you have multiple objects with the same configured value has no effect on that.

@MrWonderful one nuance though in this specific line of questioning

Bear in mind that the firewall will not distinguish between pizza and pizza1 when it comes down to matching security rules because both have the same IP address and this is the only thing the running configuration really cares about.

This means that in this specific case both pizza and pizza1 will be hitting the same rules, even though only 1 of them may be listed in the rule

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4459 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!