Security zone-based security management
To implement security zone-based security management, assign interfaces with the same security requirements to the same security zone.
For example, your enterprise has four network segments for the R&D department and two network segments for the servers. You can perform the following tasks to control traffic between the security zones:
Create two security zones: Zone_RND and Zone_DMZ.
Assign the four firewall interfaces that are connected to the R&D department to Zone_RND.
Assign the two firewall interfaces that are connected to the servers to Zone_DMZ.
Deploy security policies between the two security zones, including ACLs, ASPF policies, and object policies.
If the network topology changes, you only need to change interface assignments. You do not need to modify the security policies. For more information about packet filtering policies, see ACL and QoS Configuration Guide. For more information about ASPF and object policies, see Security Configuration Guide.
Figure 38: Security zones
The following table describes how the device handles packets when security zone-based security management is configured:
Packets | Action |
---|---|
Packets between an interface that is in a security zone and an interface that is not in any security zone | Discard. |
Packets between two interfaces that are in the same security zone | Discard by default. |
Packets between two interfaces that belong to different security zones | Forward or discard, depending on the matching object policy. If the object policy does not exist or does not take effect, the packets are discarded. For more information, see "Creating a zone pair." |
Packets between two interfaces that are not in any security zone | Forward. |
Packets originated from or destined for the device itself | Forward or discard, depending on the matching object policy. By default, these packets are discarded. |