01-08-2021 04:54 AM
We have currently three diffent zones defined .
Zone A vlan 100. For wired users
Zone B vlan 200 for wireless users
Zone V tunnel/ loopback interface for Global protect users.
All the above users mentioned are corp users.
Now customer wants to create. single zone called "All users" and want to put vlan 100 200 and loopback/ tunnel into it.
Is it wise to use same zone for GP users ?
Is it doable ? What are the challenges of we have a single common zone for user traffic ( wired+wireless+gp users )
01-09-2021 12:40 PM - edited 01-09-2021 01:18 PM
You can assign same Interface to Multiple zones.
But Interface can be assigned to Single Zone only at one time.
You can assign same all 3 Interface to new zones.
I never done this but it is doable.
Also it is not recommended best practice as now if you want to segment the traffic between 3 different zones then you can not do that now.
Only thing if you have to worry about is VR if all 3 Interface are in same VR then you are good if they are in different VR then you need to modify the static routing in 3 VR's.
01-09-2021 09:11 PM
Did you ask this question last week in the GlobalProtect forum? If not, you can find the same discussion there within the past week.
In short, the only thing that would technically prevent you from doing this is if you have mixed interface types. You can't have an L3 zone with L2 interfaces or an L2 zone with L3 interfaces for example. As long as that isn't an issue in your environment, there's nothing preventing you from including all three of your interfaces in the same zone.
Now for whether or not it is a good idea or not, most people would say no. General consensus would be that you have your VPN traffic terminate on its own zone so that you have full control and visibility into what is access by users. In general from a security aspect, the more segmented you make your zones the more control you have over what goes where and you can make finer access controls.
Now to be perfectly clear, it isn't that you can't include all three interfaces in the same zone and still have a secure network. You can still override your intrazone-default policy to deny and manually build out intrazone security rulebase entries to control traffic. That generally isn't advisable because it's easier to accidently over-provision access or have traffic not getting logged when crossing the firewall. By default, PAN firewalls don't track intrazone traffic, it doesn't get logged at all, and it automatically allows the traffic. If you design things carefully you can have this be just as secure as using multiple different zones, it just generally takes more effort to do so.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!