PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PRISMA Access Intrazone Default - As a firewall engineer this rule gives me the creeps

L1 Bithead

Quick on for all you PRISMA SASE heads out there. 

Finally getting stability on macOS (god bless GP version 6.2.3) . 

Now it's time to harden up a little bit - easy to do with a firewall I manage but not sure of the ramification on PRISMA. 

So,, Intrazone-Default is allowed by default and it get some farily nasty attacks  on the untrust to unstrust interfaces. 

Bearing in mind I use PROXY & SSLVPN  what are the ramification of a untrust to untrust block . 

 

I did ask TAC - same answer as always - if you not done it before then it's professional services. Rubbish !

 

Any help greatly appreciated, 

2 REPLIES 2

L0 Member

 

 
If traffic matches no other rules, two default Security policy rules at the bottom of the rulebase automatically drop all traffic between different zones (interzone-default) and automatically allow all traffic between the same zone (intrazone-default). You can modify the interzone-default and intrazone-default rules to log traffic, apply threat inspection, etc. If you add a rule that denies all traffic earlier in the rulebase (local firewall rules or Panorama pre- and post-rules), no traffic matches the default rules.
 
For the ramification, you may deny traffic that is supposed to be allowed between untrust zones that didn't match any rules before it hits the default rule. Typically, if untrust to untrust traffic did not hit any rules, then technically it should be allowed. I believe TAC answered the way they did because they are not design experts and are cannot given configuration recommendations based on the design since they would be held accountable if something were to go wrong. PS has the skills required to give that recommendation and help as its their primary focus.  

Thanks @RSenra 

PS is ££££ which we just don't have so it will be trial and error . 

  • 675 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!