Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Security zones | 27.43 KB |
Security zones
Introduction
Security zone members
A security zone can include the following types of members:
· Layer 2 interface-VLAN combination
· Layer 3 interface:
¡ Layer 3 Ethernet interface
¡ Layer 3 logical interface, such as a Layer 3 subinterface
Security zone-based packet processing rules
The following table describes how the device handles packets when security zone-based security management is configured:
|
Packets |
Action |
|
Packets between an interface that is in a security zone and an interface that is not in any security zone |
Discard. |
|
Packets between two interfaces that are in the same security zone |
Discard by default. |
|
Packets between two interfaces that belong to different security zones |
Forward or discard, depending on the matching security control policy. If no policy is applied or the policy does not exist or does not take effect, the packets are discarded. |
|
Packets between two interfaces that are not in any security zone |
Discard. |
|
Packets originated from or destined for the device itself |
Forward or discard, depending on the matching object policy. By default, these packets are discarded. |
Restrictions and guidelines
· The device management interface belongs to the Management security zone. You can log in to the Web interface of the device from the management interface to manage the device remotely. If you remove the management interface from the Management security zone, the Web access is terminated immediately.
· A Layer 3 interface can be added to only one security zone.
· A Layer 2 interface-VLAN combination can be added to only one security zone.
· If a packet does not match any zone pair between specific security zones, the device searches for the any-to-any zone pair.
¡ If the zone pair exists, the device processes the packet by using the security policies applied to the zone pair.
¡ If the zone pair does not exist, the device discards the packet.
· By default, the device forwards packets between the Management and Local zones.
· For packets between the Management and Local security zones, the device uses only security control policies applied to the zone pairs of the two security zones.
