05-17-2023 05:27 PM
So, I am new to palo-alto and I created some pretty general policies for internal-to-dmz communication, I now wanted to create a policy that would target specific host-to-destinations for testing, however, I noticed that the primary "Allow All" policy was set in the pre-rules, which takes precedence in the hierarchy. (Top to bottom). So what I need to do is migrate my "Allow All" policy to the Post-rules section so that my test policy can be hit before the first rule comes in play.
SO, now that's out of the way, my real question is; If I apply these changes in Panorama then push to my firewalls, will there be a loss in connection, sessions etc when the policy is moved down in the hierarchy?
I did a test from one of my sandbox environments, looked like there was no hiccup with ping, but ping is no stateful connection if you know what I mean ;).
05-17-2023 05:45 PM - edited 05-19-2023 06:22 AM
Hi @fbarnard ,
I have moved rules between pre- and post- many times with no down time. HOWEVER, with that said there is always a chance of an outage when you change the order or rules. Verify the new order of rules is good, and you should be fine.
Thanks,
Tom
Edit: I just moved my outbound rule to the Internet from each device group to Shared. I was doing an outbound ping, and I dropped one packet.
05-17-2023 05:45 PM - edited 05-19-2023 06:22 AM
Hi @fbarnard ,
I have moved rules between pre- and post- many times with no down time. HOWEVER, with that said there is always a chance of an outage when you change the order or rules. Verify the new order of rules is good, and you should be fine.
Thanks,
Tom
Edit: I just moved my outbound rule to the Internet from each device group to Shared. I was doing an outbound ping, and I dropped one packet.
05-18-2023 09:10 AM
Thank you for the confirmation! Yes, I am keeping in mind the rules currently set, we are still in the phase of policy control setup, right now we are testing the communication between zones. I just wanted to make sure I was putting my more broad policy in the right hierarchy before implementing more stringent or specific policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
