- Table of Contents
-
- 01-Fundamentals Command Reference
- 00-Preface
- 01-CLI commands
- 02-RBAC commands
- 03-Login management commands
- 04-FTP and TFTP commands
- 05-File system management commands
- 06-Configuration file management commands
- 07-Software upgrade commands
- 08-ISSU commands
- 09-Emergency shell commands
- 10-Automatic configuration commands
- 11-Device management commands
- 12-Security zone commands
- 13-Tcl commands
- 14-Python commands
- 15-License management commands
- Related Documents
-
Title | Size | Download |
---|---|---|
12-Security zone commands | 55.40 KB |
Security zone commands
display security-zone
Use display security-zone to display security zone information.
Syntax
display security-zone [ name zone-name ]
Any view
Predefined user roles
network-admin
Parameters
name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command displays all security zones, including system-defined and user-defined security zones.
Usage guidelines
When displaying all security zones, the command uses the following order:
1. System-defined security zones.
2. User-defined security zones in alphabetical order of security zone names.
Examples
# Display information about security zone myZone.
<Sysname> display security-zone name myZone
Name: myZone
Members:
GigabitEthernet2/1/3
GigabitEthernet2/1/4
GigabitEthernet2/1/1 in VLAN 3
GigabitEthernet2/1/5 in VLAN 7
Table 1 Command output
Description |
|
Security zone name. |
|
· Type and number of a Layer 3 interface. · None. If a security zone does not have any members, this field displays None. |
display zone-pair security
Use display zone-pair security to display all zone pairs.
Syntax
Any view
Predefined user roles
Examples
# Display all zone pairs.
<Sysname> display zone-pair security
Source zone Destination zone
DMZ Local
Trust Local
import interface
Use import interface to add Layer 3 interfaces to a security zone, including Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, and other types of Layer 3 logical interfaces.
Use undo import interface to remove Layer 3 interfaces from a security zone.
Syntax
import interface layer3-interface-type layer3-interface-number
undo import interface layer3-interface-type layer3-interface-number
Default
A security zone does not have any Layer 3 interface members.
Security zone view
Predefined user roles
Parameters
Usage guidelines
To add multiple Layer 3 interfaces to a security zone, execute this command multiple times.
A Layer 3 interface can belong to only one security zone. To move a Layer 3 interface from one security zone to another security zone, perform the following tasks:
· Use the undo import interface command to remove the interface from the current security zone.
· Use the import interface command to add the interface to the new security zone.
Examples
# Add Layer 3 Ethernet interface GigabitEthernet 2/1/1 to the security zone Trust.
[Sysname] security-zone name trust
[Sysname-security-zone-trust] import interface gigabitethernet 2/1/1
import interface vlan
Use import interface vlan to add Layer 2 interface-VLAN combinations to a security zone.
Use undo import interface vlan to remove Layer 2 interface-VLAN combinations from a security zone .
Syntax
import interface layer2-interface-type layer2-interface-number vlan vlan-list
undo import interface layer2-interface-type layer2-interface-number vlan vlan-list
Default
A security zone does not have any Layer 2 interface-VLAN combination members.
Views
Security zone view
Predefined user roles
network-admin
mdc-admin
Parameters
interface layer2-interface-type layer2-interface-number: Specifies a Layer2 interface by its type and number.
vlan vlan-list: Specifies a list of VLANs. The vlan-list argument must be a space-separated list of up to 10 VLAN items that meet the following requirements:
· Each item specifies a VLAN by its ID or a range of VLANs in the form of start-VLAN-ID to end-VLAN-ID. The end-VLAN-ID is greater than the start-VLAN-ID.
· The VLAN IDs are in the range of 1 to 4094.
· The VLANs already exist.
Usage guidelines
You cannot add any members to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple Layer 2 Ethernet interface-VLAN combinations to a security zone, execute this command multiple times.
A Layer 2 interface-VLAN combination can belong to only one security zone. To move a Layer 2 interface-VLAN combination from one security zone to another security zone, perform the following tasks:
· Use the undo import interface vlan command to remove the combination from the current security zone.
· Use the import interface vlan command to add the combination to the new security zone.
Examples
# Add the combination of Layer 2 Ethernet interface GigabitEthernet 2/1/1 and VLAN 10 to the security zone Untrust.
<Sysname> system-view
[Sysname] security-zone name untrust
[Sysname-security-zone-untrust] import interface gigabitethernet2/1/1 vlan 10
security-zone
Use security-zone to create a security zone and enter its view, or enter the view of an existing security zone.
Use undo security-zone to delete a security zone.
Syntax
undo security-zone name zone-name
Default
No security zone exists.
System view
Predefined user roles
Parameters
Usage guidelines
The device provides the following system-defined security zones: Local, Trust, DMZ, Management, Untrust, library, and office. These security zones are created automatically by the system when one of following events occurs:
· The first command for creating a security zone is executed.
· The first command for creating an object policy is executed.
· The first command for entering the view of a system-defined security zone is executed.
System-defined security zones cannot be deleted.
You can use this command multiple times to create multiple security zones.
A security zone must have a unique name on the MDC to which it belongs. Two security zones that belong to different MDCs can use the same name.
Deleting a security zone also deletes the following items:
· All zone pairs that use the security zone as the source or destination security zone.
· All object policy applications on the zone pairs.
Examples
# Create the security zone zonetest and enter security zone view.
[Sysname] security-zone name zonetest
[Sysname-security-zone-zonetest]
Related commands
security-zone intra-zone default permit
Use security-zone intra-zone default permit to set the default action to permit for packets exchanged between interfaces in the same security zone.
Use undo security-zone intra-zone default permit to restore the default.
Syntax
security-zone intra-zone default permit
undo security-zone intra-zone default permit
Default
The default action is deny for packets exchanged between interfaces in the same security zone.
Views
System view
The default action is used when no zone pair is configured from the security zone to the security zone itself.
Examples
# Set the default action to permit for packets exchanged between interfaces in the same security zone.
[Sysname] security-zone intra-zone default permit
zone-pair security
Use zone-pair security to create a zone pair and enter its view, or enter the view of an existing zone pair.
Use undo zone-pair security to delete a zone pair.
Syntax
zone-pair security source { source-zone-name | any } destination { destination-zone-name | any }
undo zone-pair security source { source-zone-name | any } destination { destination-zone-name | any }
Default
No zone pair exists.
System view
Predefined user roles
Parameters
source source-zone-name: Specifies the name of the source security zone, a case-insensitive string of 1 to 31 characters. This security zone must already exist.
any: Specifies any security zone.
Usage guidelines
A zone pair has a source security zone and a destination security zone. The device examines received first data packets and uses zone pairs to identify data flows.
You can use the zone-pair security source any destination any command to define the any-to-any zone pair. This zone pair matches all packets from one security zone to another security zone.
After you apply security policies to zone pairs, the device processes data flows based on security policies.
· If a packet matches a zone pair between specific security zones, the device processes the packet by using the security policies applied to the zone pair.
· If a packet does not match any zone pair between specific security zones, the device identifies whether the packet is between the Management and Local zones.
¡ If the packet is between the Management and Local zones, the device discards the packet.
¡ If the packet is not between the Management and Local zones, the device searches for the any-to-any zone pair.
- If the zone pair exists, the device processes the packet by using the security policies applied to the zone pair.
- If the zone pair does not exist, the device discards the packet.
If you apply an object policy and a packet filtering policy to a zone pair, the object policy takes precedence.
Security policies include ACLs, ASPF policies, and object policies. For more information about packet filtering policies, see ACL and QoS Configuration Guide. For more information about ASPF and object policies, see Security Configuration Guide.
Deleting a zone pair deletes all object policy applications on the zone pair.
Examples
# Create a zone pair with the source security zone Trust and destination zone Untrust.
[Sysname] zone-pair security source trust destination untrust
[Sysname-zone-pair-security-Trust-Untrust]
Related commands