Bidirectional Policy Rules on a Palo Alto Firewall

The Palo Alto firewall supports policy entries that refer to multiple source and destination zones. This is useful especially when there are branch offices with multiple zones and a site-to-site VPN to the main office. In this scenario, every zone in the branch office might have a “permit any any” to the main office and vice versa, while the zones on the branch office should not have a permit among themselves. (Of course, the traffic on the main office is restricted and not permitted generally.) Here are two ways to accomplish that scenario.

My example consists the following: The branch office has three security-zones called trust-user, trust-server, and trust-ra. The zone for the site-to-site VPN is called vpn-s2s. I will show the two options on the basis of two screenshots.

Note that this configuration is set on the branch office firewall only. On the main office firewall, the traffic is of course classified and permitted/denied according to the specific rule set.

One Bidirectional Rule for each Zone

The first possibility is a set of bidirectional rules, in which each role has the same source and destination. That is: Independent of the originating side, the rule will match. A single bidirectional rule is needed for every internal zone on the branch firewall.

Palo Alto Bidirectional Policy Rules

Note that these rules also permit traffic from an internal zone to the interface of the Palo Alto firewall itself, e.g., for ping oder DNS Proxy. In order to limit the management access of the Palo Alto interfaces, “Interface Mgmt” profiles can be used.

Two Unidirectional Rules

The second option has two unidirectional rules: Branch -> Main and Main -> Branch. (Unidirectional refers to the initiating side. Of course, all rules are stateful and allow the returning traffic as well.) The vpn-s2s zone is on the one side while the internal zones of the branch office are on the other side:

Palo Alto Two Unidirectional Policy Rules

This option is suitable for branch offices with many internal zones since the whole “permit any any” set is built with these two rules regardless of the number of internal zones.

Leave a Reply

Your email address will not be published. Required fields are marked *