Security zones

This help contains the following topics:

Introduction

Security zone

A security zone is a collection of interfaces that have the same security requirements. You can configure security zones to implement security zone-based security management.

Security zone members

A security zone can include the following types of members:

Security zone-based packet processing rules

The following table describes how the device handles packets when security zone-based security management is configured:

Packets

Action

Packets between an interface that is in a security zone and an interface that is not in any security zone

Discard.

Packets between two interfaces that are in the same security zone

Forward by default.

Packets between two interfaces that belong to different security zones

Forward or discard, depending on the matching security control policy. If no policy is applied or the policy does not exist or does not take effect, the packets are discarded.

Packets between two interfaces that are not in any security zone

Forward.

Packets originated from or destined for the device itself

Forward or discard, depending on the matching object policy. By default, these packets are discarded.

Whitelist

This feature exempts packets sourced from the subnets specified in the whitelisted address object group from attack detection. Packets from the whitelisted address are directly forwarded whether they are attack packets or not.

The whitelist can contain only one address object group. The address object group can only be manually added to or deleted from the whitelist.

Restrictions and guidelines

Configure security zones

Configure attack defense as shown in Figure-1.

Figure-1 Security zone configuration procedure

Configure a security zone

A security zone is a logical concept. The administrator classifies interfaces with the same security requirements and assigns them to different security zones to enable unified management of inter-zone policies. Inter-zone policies can be used to inspect traffic flows, and actions are executed on packets based on the inspection results.

To configure a security zone:

  1. Click the Network tab.

  2. In the navigation pane, select Security Zones.

  3. Click Create.

  4. Configure security zone parameters as needed.

    Figure-2 Creating a security zone

    Table-1 Security zone configuration items

    Item

    Description

    Security zone name

    Configure the security zone name.

    VLAN members

    Add VLANs to the security zone as members.

    Layer 2 members

    Add Layer 2 interfaces to the security zone as members.

    Layer 3 members

    Add Layer 3 interfaces to the security zone as members.

  5. Click OK. The newly created security zone is displayed on the Security Zones page.

(Optional) Configure the whitelist

The whitelist feature exempts packets sourced from the IP addresses specified in the whitelisted address object group from attack detection.

Only address object groups can be manually added to or deleted from the whitelist. To configure an address object group, access the Objects > Object Groups page.

To configure the whitelist:

  1. Click the Network tab.

  2. In the navigation pane, select Security Zones > Whitelist.

  3. Click Create.

  4. Add an address object group to the whitelist.

    Figure-3 Adding an address object group to the whitelist

    Table-2 Whitelist configuration items

    Item

    Description

    Object group type

    Select an IP version, IPv4 or IPv6.

    Object group name

    You can select an existing address object group or create a new one. The newly created address object group will be displayed on the Objects > Object Groups page.

  5. Click OK.

(Optional) Configure client verification

IP addresses protected by client verification can be manually added or automatically learned. The device can automatically add victims' IP addresses to the protected IP list when client verification collaborates with flood attack detection. The device directly forwards packets from trusted IP addresses. Make sure client verification is specified as the flood attack prevention action.

To configure client verification:

  1. Click the Network tab.

  2. In the navigation pane, select Security Zones > Client Verification.

  3. Click Create.

  4. Configure client verification.

    Figure-4 Configuring client verification

    Table-3 Client verification configuration items

    Item

    Description

    Protocol

    Protocol type for client verification:

    • TCP—Specifies TCP client verification.

    • DNS—Specifies DNS client verification.

    • DNS reply—Specifies DNS reply source verification.

    • HTTP—Specifies HTTP client verification.

    • HTTPS—Specifies HTTPS client verification.

    • SIP—Specifies SIP client verification.

    VRF

    VRF to which the protected IP address belongs. You can select an existing VRF or create a new one. The newly created VRF will be displayed on the Network > VRF page.

    IP version

    Select an IP version, IPv4 or IPv6.

    IP address

    Protected IP address. All connection requests destined for this address are verified by the client verification feature. The attacker sends TCP connection requests, DNS queries, DNS replies, HTTP GET requests, HTTP POST requests, HTTPS request, or SIP UDP INVITE requests to the protected IP.

    Port number

    Number of a protected port. By default, DNS client verification protects port 53, HTTP client verification protects port 80, HTTPS client verification protects port 443, SIP client verification protects port 5060, and TCP client verification protects all ports.

  5. Click OK. The Client Verification page displays protected IP addresses manually added and automatically learned.