Creating a zone pair
A zone pair has a source security zone and a destination security zone. The device examines received first data packets and uses zone pairs to identify data flows.
You can use the zone-pair security source any destination any command to define the any-to-any zone pair. This zone pair matches all packets from one security zone to another security zone.
After you apply security policies to zone pairs, the device processes data flows based on security policies.
If a packet matches a zone pair between specific security zones, the device processes the packet by using the security policies applied to the zone pair.
If a packet does not match any zone pair between specific security zones, the device identifies whether the packet is between the Management and Local zones.
If the packet is between the Management and Local zones, the device discards the packet.
If the packet is not between the Management and Local zones, the device searches for the any-to-any zone pair.
If the zone pair exists, the device processes the packet by using the security policies applied to the zone pair.
If the zone pair does not exist, the device discards the packet.
If you apply an object policy and a packet filtering policy to a zone pair, the object policy takes precedence.
To create a zone pair:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a zone pair and enter zone pair view. | zone-pair security source { source-zone-name | any } destination { destination-zone-name | any } | By default, no zone pair exists |