What are Universal, Intrazone and Interzone Rules?
When configuring a security policy, it is not evident when looking at the rulebase, what will happen to traffic that does not match any rule. Furthermore, there is no way to alter the treatment for that traffic without creating an explicit rule. In many cases, users simply want to enable logging for this traffic. In some cases, they want to easily change the treatment for intrazone traffic. Currently, this requires configuration of explicit rules for each zone.
In earlier releases of PAN-OS prior to 6.1 there is no classification called "RULE TYPE" in the security policy.This is new feature incorporated in the 6.1 version of PAN-OS. This feature gives us an option to create rules based on the parameters of interzone, intrazone and universal. This feature helps the administrators to have control over what rules are created based on the zones in their network, which can also come in handy during an audit.
On PAN-OS 6.1 and above, the default security rules are appended to the end of the normal security rules, as shown below:
- A green cog image next to the “intrazone-default” rule name indicates the rule is from “predefined” or from “Panorama”. A tool tip is available on the image.
- A double cog image next to the “interzone-default” rule name indicates the rule is in the current VSYS and overriding the values of another rule from “predefined” or Panorama
- “intrazone-default” rule action is allow
- “interzone-default” rule action is deny
The table below details the rule types and descriptions:
By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.
For example, if creating a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.
A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules).
For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.
A security policy allowing traffic between two different zones. However, the traffic between the same zone will not be allowed when created with this type, this applies the rule to all matching traffic between the specified source and destination zones.
For example, if setting the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.
A user defined security rule can be configured as “universal”, “intrazone”, or “interzone”, as shown below:
When a rule is configured as “intrazone”, the “destination zone” cannot be changed (greyed out). Its value comes from the “source zone”.
The “predefined” or Panorama pushed “intrazone-default” and “interzone-default” rules names or functions cannot be changed.
This is indicated by a green boarder around the editor and the “Read Only” wording in the title.
To make a change to “predefined” or Panorama pushed “intrazone-default” or “interzone-default” rules, the user must “override” these rules.
The “intrazone-default” or “interzone-default” rule can be overridden if it has a green single cog image next to the rule name.
The “override” action will bring up a security rule editor that has only two tabs.
On the “General” tab, only the “Tags” field can be modified:
On the “Actions” tab, only the “Profile Setting” and “Log Setting” fields can be modified:
To get back the “predefined” or Panorama pushed value, the “revert” action can be performed.
On Panorama, the default rules are visible in a separate tree node, below the security pre and post rules.
The green single cog image next to the name indicates the rule is from an “ancestor” device group, “shared”, or “Predefined”.
The double cog image next to the name indicates the rule is “overriding” that of an “ancestor” device group rule, “shared” rule, or “predefined” rule.
The user may “override” the “intrazone-default” or “interzone-default” rules as shown below:
Both VM and M-100 Panorama support new features. The new default rules will appear below the post security rules.
Further Details Regarding Panorama:
- Default rules, when pushed to device dataplane will take effect after any other group or shared rules.
- Changes made to "interzone-default" or "intrazone-default" locally on Palo Alto Networks device takes precedence over any changes pushed from Panorama.
Panorama 6.1 and 5.x/6.0 PAN-OS Devices Interaction:
When pushing security rules from 6.1 Panorama to a pre-6.1 PANOS device, the expected behavior is shown below:
- Predefined default rules removed from rulebase to be pushed
- Rules with "intrazone" and "interzone" types removed from rulebase to be pushed
- Rules with "universal" type converted to pre-6.1 rules
- Panorama presents a warning that not all rules were pushed to pre-6.1 device(s)
admin@Panorama> show jobs id 25970
Enqueued ID Type Status Result Completed
2014/07/22 22:03:38 25970 CommitAll FIN OK 100 %
Warnings: 001606007416 is below 6.1, removing intrazone and interzone rules
- 010401000006 commit succeeded OK 22:03:39 22:03:57
- 001606007416 commit succeeded OK 22:03:39 22:05:15
- Upgrades: If a rule already exists with the name "intrazone-default" or "interzone-default" that rule should be renamed to "custom-intrazone-default" or "custom-interzone-default".
Note: When upgrading to PAN-OS 6.1, all existing rules in the security rulebase will be converted to universal rules.
- Downgrades: Remove the type node from all the universal rules. Delete all the intrazone and interzone rules.