Você está na página 1de 4

Security Policies Based on Zone Assignment for ...

| Palo Alto Networks Live 3/25/15, 6:02 AM

All Places > Knowledge Base > Documents

Security Policies Based on Zone


Assignment for VPN Tunnel Interface Version 40

created by jperry1 on Sep 14, 2014 7:50 PM, last modified by panagent on Oct 28, 2014 5:31 PM

Details
On the Palo Alto Networks firewall, the security zone that is assigned to a specific interface is essential for
establishing security policies based on trac that needs to be allowed, restricted or denied. The same principles
of zone selection apply for VPN tunnel interfaces when defining security policies. Two scenarios are shown in this
document to demonstrate how security policies are written based on how the security zone for the VPN tunnel
interface is chosen:
1. The tunnel interface is assigned the same zone as one of the inside interfaces.
2. The tunnel interface is assigned an independent zone.

Scenario 1
In this scenario, tunnel.200 interface has been assigned to the same zone as the ethernet1/2 interface which is
the "L3_Trust" zone. Because of this, any existing security policies (including the implicit 'same-zone' allow rule)
that match trac from source "L3_Trust" zone to destination "L3_Trust" zone will be applied to the VPN trac
flowing between tunnel.200 and inside interface ethernet/12.

Ethernet1/2 is in 'L3_Trust' zone:

Tunnel.200 Interface is placed in the 'L3_Trust' zone:

https://live.paloaltonetworks.com/docs/DOC-7901 Page 1 of 4
Security Policies Based on Zone Assignment for ... | Palo Alto Networks Live 3/25/15, 6:02 AM

Pre-existing security policy applied to "L3_Trust" zone:


In situations where an "Any/Any/Deny" policy is configured which may override the implicit 'same-zone' policy, a
policy must be explicitly created to allow the 'L3-Trust' to 'L3-Trust' zone trac as shown below:

For more information regarding the Any/Any/Deny policy, see: Any/Any/Deny Security Rule Changes Default
Behavior

Scenario 2
In this scenario, the tunnel.200 interface is assigned an independent zone called 'VLAN_100' while the inside
interface ethernet/12 is in the 'L3_Trust' zone:

Ethernet1/2 is in 'L3_Trust' zone:

https://live.paloaltonetworks.com/docs/DOC-7901 Page 2 of 4
Security Policies Based on Zone Assignment for ... | Palo Alto Networks Live 3/25/15, 6:02 AM

Tunnel.200 Interface is placed in a separate 'VLAN_100' zone:


This approach will allow for a separate set of restrictions to be applied only to trac flowing to/from the inside
interface(ethernet1/2) to/from the VPN "VLAN_100" security zone. This approach will provide more granularity if
the security requirement is dierent for VPN trac.

New Security Policy created and applied only for trac from VPN 'VLAN_100' to inside 'L3_Trust' zone:

See Also
How to Configure IPSEC VPN

owner: jperry

613 Views Categories: VPN Tags: ssl, vpn, zone, ipsec, tunnel, security_profiles, ipsec_tunnel

Average User Rating

(3 ratings)

0 Comments

https://live.paloaltonetworks.com/docs/DOC-7901 Page 3 of 4
Security Policies Based on Zone Assignment for ... | Palo Alto Networks Live 3/25/15, 6:02 AM

There are no comments on this document.

1.866.320.4788 Privacy Policy Legal Notices Site Index Subscriptions


Copyright 2007-2013 Palo Alto Networks

Home | Top of page | About Jive | Help 2007-2012 Jive Software |

https://live.paloaltonetworks.com/docs/DOC-7901 Page 4 of 4