topic Re: Simple Policy Question in General Topics

Simple Policy Question

cmaier — Wed, 24 Aug 2011 19:51:50 GMT

This is a simple one, but I couldn't find it specifically stated in the manual.

When I define a security policy, are the Zone and Address exclusive of each other? In other words, if I select a zone,it requires I put in specific IP's or select Any. If I leave the IP's as any, but select a specific zone, will it only allow IP's from within that zone - or will it allow Any in addition to the zone? Or do I have to select the zone and then specifiy what IP's in that zone I want to have the policy apply to?

I hope that makes sense - the only way I could come up with to explain it seems a bit confusing - even to me....

Re: Simple Policy Question

joshsmtech — Wed, 24 Aug 2011 21:46:51 GMT

If your rule has Zone A to Zone B specified and IP address source and destination of any, then the traffic will be filtered based on zones only regardless of IP. Entering in an IP address is not required, if you want to only filter on zones this can be done as long as your source and destination IPs are "any". Typically you assign interfaces to Zones so you need to understand your network topology to understand what traffic is coming through each zone, but when filtering at the zone level IP addresses do not need to be specified.

For Example:

I want all of my internal users to access anything in our DMZ and the web and my DMZ to be able to access the Web I would create 3 zones...

Zone A = Internal Users, multiple subnets and IPs

Zone B = DMZ multiple subnets and IPs

Zone C = Internet multiple subnets and IPs

My rule would go something like this:

Name	S. Zone	D. Zone	S. Address	D. Address	Application	Service	Action
Rule 1	Zone A	Zone B Zone C	Any	Any	Any	Any	Allow
Rule 2	Zone B	Zone C	Any	Any	Any	Any	Allow

No Specific IPs need to be listed to put these rules in.

Re: Simple Policy Question

cmaier — Thu, 25 Aug 2011 17:07:14 GMT

OK, just to make sure I understand this correctly...

If I want traffic to hit a destination IP, I leave the Destination Zone as Any and enter the IP in Destination Address?

Re: Simple Policy Question

joshsmtech — Mon, 29 Aug 2011 18:29:56 GMT

If you know which zone the destination IP is in, then I would recommend you specify the destination zone and IP address. However, this is not a requirement. You can also leave the zone as any. It depends on your organizations, topology, security policies and best practices but either way will work.