Documente Academic
Documente Profesional
Documente Cultură
created by jperry1 on Sep 14, 2014 7:50 PM, last modified by panagent on Oct 28, 2014 5:31 PM
Details
On the Palo Alto Networks firewall, the security zone that is assigned to a specific interface is essential for
establishing security policies based on trac that needs to be allowed, restricted or denied. The same principles
of zone selection apply for VPN tunnel interfaces when defining security policies. Two scenarios are shown in this
document to demonstrate how security policies are written based on how the security zone for the VPN tunnel
interface is chosen:
1. The tunnel interface is assigned the same zone as one of the inside interfaces.
2. The tunnel interface is assigned an independent zone.
Scenario 1
In this scenario, tunnel.200 interface has been assigned to the same zone as the ethernet1/2 interface which is
the "L3_Trust" zone. Because of this, any existing security policies (including the implicit 'same-zone' allow rule)
that match trac from source "L3_Trust" zone to destination "L3_Trust" zone will be applied to the VPN trac
flowing between tunnel.200 and inside interface ethernet/12.
https://live.paloaltonetworks.com/docs/DOC-7901 Page 1 of 4
Security Policies Based on Zone Assignment for ... | Palo Alto Networks Live 3/25/15, 6:02 AM
For more information regarding the Any/Any/Deny policy, see: Any/Any/Deny Security Rule Changes Default
Behavior
Scenario 2
In this scenario, the tunnel.200 interface is assigned an independent zone called 'VLAN_100' while the inside
interface ethernet/12 is in the 'L3_Trust' zone:
https://live.paloaltonetworks.com/docs/DOC-7901 Page 2 of 4
Security Policies Based on Zone Assignment for ... | Palo Alto Networks Live 3/25/15, 6:02 AM
New Security Policy created and applied only for trac from VPN 'VLAN_100' to inside 'L3_Trust' zone:
See Also
How to Configure IPSEC VPN
owner: jperry
613 Views Categories: VPN Tags: ssl, vpn, zone, ipsec, tunnel, security_profiles, ipsec_tunnel
(3 ratings)
0 Comments
https://live.paloaltonetworks.com/docs/DOC-7901 Page 3 of 4
Security Policies Based on Zone Assignment for ... | Palo Alto Networks Live 3/25/15, 6:02 AM
https://live.paloaltonetworks.com/docs/DOC-7901 Page 4 of 4