Contents

Configuring security zones· 1

About security zones· 1

Basic concepts· 1

Security zone-based packet processing rules· 1

Application scenarios· 1

Security zone configuration tasks at a glance· 2

Creating a security zone· 2

Adding members to a security zone· 2

Specifying the default action for packets between interfaces in the same security zone· 3

Verifying and maintaining security zones· 3

 

Configuring security zones

About security zones

You can configure security zones to implement security zone-based security management.

Basic concepts

The security zone feature includes the following basic concepts:

·     Security zone—A security zone is a collection of interfaces that have the same security requirements.

·     System-defined security zones—The device provides the following system-defined security zones: Local, Trust, DMZ, Management, and Untrust. The system creates these security zones automatically when one of following events occurs:

¡     The first command for creating a security zone is executed.

¡     The first command related to creating an interzone policy is executed.

System-defined security zones cannot be deleted.

·     DMZ—A demilitarized zone is a network that is separate from the internal network and the external network both logically and physically. Typically, a DMZ contains devices for the public to access, such as the Web servers and FTP servers.

Security zone-based packet processing rules

The following table describes how the device handles packets when security zone-based security management is configured:

 

Packets	Action
Packets between an interface that is in a security zone and an interface that is not in any security zone	Discard.
Packets between two interfaces that are in the same security zone	Discard by default.
Packets between two interfaces that belong to different security zones	Forward or discard, depending on the matching interzone policy. If no policy is applied or the policy does not exist or does not take effect, the packets are discarded. For more information, see "Creating a security zone."
Packets between two interfaces that are not in any security zone	Forward.
Packets originated from or destined for the device itself	Forward or discard, depending on the matching interzone policy. By default, these packets are discarded.

 

Application scenarios

As a best practice, use security zone-based security management if the firewall is connected to multiple network segments or the network topology might change.

The traditional security management technology is based on interfaces. To filter packets, you must apply interzone policies on the inbound and outbound interfaces of a firewall. When the firewall is connected to multiple network segments, deploying interzone policies is time consuming and complicated. If the network topology changes, you might have to reconfigure interzone policies.

Security zone configuration tasks at a glance

To configure security zones, perform the following tasks:

·     Creating a security zone

·     Adding members to a security zone

·     (Optional.) Specifying the default action for packets between interfaces in the same security zone

Creating a security zone

1.     Enter system view.

system-view

2.     Create a security zone and enter security zone view.

security-zone name zone-name

By default, security zones Local, Trust, DMZ, Management, and Untrust exist.

Adding members to a security zone

About this task

A security zone can include member types listed in Table 1.

Table 1 Security zone members and objects that the members identify

Security zone member	Objects that each member identifies
Layer 3 interface: ·     Layer 3 Ethernet interface ·     Layer 3 logical interface, such as a Layer 3 subinterface	All packets received or sent on the interface
IPv4 subnet	All packets sourced from or destined for the IPv4 subnet.
IPv6 subnet	All packets sourced from or destined for the IPv6 subnet.

 

If a security zone has multiple types of members, a packet is matched in the following order: subnet and interface. The match operation stops when the first matching member is found.

Procedure

1.     Enter system view.

system-view

2.     Enter security zone view.

security-zone name zone-name

3.     Add members to the security zone.

Choose one option as needed:

¡     Add a Layer 3 Ethernet interface.

import interface layer3-interface-type layer3-interface-number

By default, a security zone does not have Layer 3 Ethernet interface members.

You can perform this step multiple times to add multiple Layer 3 Ethernet interface members.

¡     Add an IPv4 subnet.

import ip ip-address { mask-length | mask }

By default, a security zone does not have IPv4 subnet members.

You can perform this step multiple times to add multiple IPv4 subnet members.

¡     Add an IPv6 subnet.

import ipv6 ipv6-address prefix-length

By default, a security zone does not have IPv6 subnet members.

You can perform this step multiple times to add multiple IPv6 subnet members.

Specifying the default action for packets between interfaces in the same security zone

About this task

The system uses the default action for packets that are exchanged between interfaces in the same security zone in the following situations:

·     A zone pair from the security zone to the security zone itself is not configured.

·     A zone pair from the security zone to the security zone itself is configured, but no interzone policy is applied to the zone pair.

Procedure

1.     Enter system view.

system-view

2.     Specify the default action for packets exchanged between interfaces in the same security zone.

¡     Set the default action to permit.

security-zone intra-zone default permit

¡     Set the default action to deny.

undo security-zone intra-zone default permit

By default, the default action is deny.

Verifying and maintaining security zones

To display security zone information, execute the following command in any view:

display security-zone [ name zone-name ]