11-22-2023 03:55 AM
Hi,
Looking for some guidance before I start going down the wrong route. We use Prisma SASE - Panorama managed. We have an STS VPN Connection (service connection) into our AWS Estate. We have a security policies allowing traffic from Trust to Trust.
In the world of prisma all the mobile users and everything on the other end of the service connection are in the same zone.
|
Trust
|
Zone containing all trusted and on-boarded IP addresses, service connections, or mobile users within the corporate network.
|
So in this case we allow traffic initiated from mobile users to our AWS estate and given these are stateful sessions the return traffic is allowed also . However I would like to block traffic initiated from the AWS estate to our mobile users , so for a basic example I'm happy for a mobile user to be able to ping a server in AWS , but I don't traffic initiated from the AWS Server to reach mobile users.
My logic is that in the event a machine is compromised in AWS I don't want a bad actor to be able initiate connections to our mobile users.
In my mind I would just create a deny policy specifying trust as the source and destination and then specify the AWS subnets as the source , is this the correct approach or is there a better way?
Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
