01-04-2021 10:18 AM
Hello ,
We have currently three diffent zones defined .
Zone A vlan 100. For wired users
Zone B vlan 200 for wireless users
Zone V tunnel/ loopback interface for Global protect users.
All the above users mentioned are corp users.
Now customer wants to create. single zone called "All users" and want to put vlan 100 200 and loopback/ tunnel into it.
Is it wise to use same zone for GP users ?
Is it doable ? What are the challenges of we have a single common zone for user traffic ( wired+wireless+gp users )
01-04-2021 03:56 PM
You're doing to exact opposite of what anyone would recommend you do from a security aspect, but since you're saying customer and not internal to your org the only thing you can do is advise the customer that it's not the best idea and explain the reasons why.
The only technical reason that this wouldn't be doable is if you have to mix interface types as @Brandon_Wertz mentioned. You can't have a zone contain mis-matched interface types. Short of that, there's not a technical reason you can't toss all of your interfaces into the same zone.
The one thing that I would recommend if you do this, is that you make sure intrazone-default or any other intrazone rule you may have created is setup to log properly. Without overriding that setting, the firewall won't be logging much which could become a massive issue if you ever get called about the customer being breached.
01-04-2021 10:32 AM
@FWPalolearner wrote:
Hello ,
We have currently three diffent zones defined .
Zone A vlan 100. For wired users
Zone B vlan 200 for wireless users
Zone V tunnel/ loopback interface for Global protect users.
All the above users mentioned are corp users.
Now customer wants to create. single zone called "All users" and want to put vlan 100 200 and loopback/ tunnel into it.
Is it wise to use same zone for GP users ?
Is it doable ? What are the challenges of we have a single common zone for user traffic ( wired+wireless+gp users )
In general a good security practice would be to keep remote / VPN users in a separate security zone. There would be some mitigating factors for not doing so like an "always-on" VPN, but still to ensure the most visibility it would be better to keep VPN users in a separate zone.
It's very doable to have all in the same zone. You just need to weigh the various components of the reasons for keeping them separate. Functionally what's the benefit to have wired and wireless users that are internal in a separate zone? Are they a different user or business function? Personally I don't see the need to break out "on-prem" users into different zone, but there might be a logical reason to do so.
For a VPN user there's more of a logical reason to keep those users/devices in a separate zone even if it's still a corporate owned device.
01-04-2021 10:51 AM
Hello @Brandon_Wertz .thanks.
Wired and wireless are separate currently because of historical reasons .
Customer goal is to have single zone for corp users no matter from where they are coming wired wireless or through GP.
I fully agree that having a separate zone for gp makes it more granular but that's the customer requirements.
So you mean it is doable to have all in same zone I mean vlan subinterfaces plus loopback/ tunnel interface?
01-04-2021 10:56 AM
Hello,
I agree with @Brandon_Wertz , keep it separate, that way you have more control as to who can do what. I would also keep the wired and wireless separate for the same reasons. Try to go with the smallest zero trust you can get away with. This will help prevent wide spread lateral movement and still control who has access to what resources.
Regards,
01-04-2021 10:59 AM
@FWPalolearner wrote:
Hello @Brandon_Wertz .thanks.
Wired and wireless are separate currently because of historical reasons .
Customer goal is to have single zone for corp users no matter from where they are coming wired wireless or through GP.
I fully agree that having a separate zone for gp makes it more granular but that's the customer requirements.
So you mean it is doable to have all in same zone I mean vlan subinterfaces plus loopback/ tunnel interface?
Yes, there's not a technical limitation for having all be in the same zone, as long as the interface type match the zone. For instance L3 zone, but L2 Interface type. (I'm fairly certain they need to match. I know you can't have a vwire interface in a L3 zone.)
01-04-2021 03:56 PM
You're doing to exact opposite of what anyone would recommend you do from a security aspect, but since you're saying customer and not internal to your org the only thing you can do is advise the customer that it's not the best idea and explain the reasons why.
The only technical reason that this wouldn't be doable is if you have to mix interface types as @Brandon_Wertz mentioned. You can't have a zone contain mis-matched interface types. Short of that, there's not a technical reason you can't toss all of your interfaces into the same zone.
The one thing that I would recommend if you do this, is that you make sure intrazone-default or any other intrazone rule you may have created is setup to log properly. Without overriding that setting, the firewall won't be logging much which could become a massive issue if you ever get called about the customer being breached.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
