topic Re: intra-zone default in General Topics

intra-zone default

Retired Member — Thu, 03 Jan 2013 15:21:16 GMT

Hi,

Do we have an option to disable default intrazone-allow policy which is hidden.

thanks

Re: intra-zone default

sdurga — Thu, 03 Jan 2013 16:31:08 GMT

Not any as far as i know !!

Re: intra-zone default

jvalentine — Thu, 03 Jan 2013 16:38:30 GMT

You can add an explicit "deny any any" rule at the bottom of your security policy which will override the implicit permit intra-zone policy. That doesn't disable that default policy, but no traffic will ever hit that implicit rule because the explicit deny any rule will get hit first.

Re: intra-zone default

mbutt — Thu, 03 Jan 2013 16:48:59 GMT

Hi Bulent,

By default same zone traffic is allowed and different zone traffic is denied.

If you want to block the same zone traffic you and create a security rule and define it and that will block the traffic between the same zone.

Example

Hope this helps.

Thank you

Numan

Re: intra-zone default

Retired Member — Thu, 03 Jan 2013 16:56:05 GMT

Thanks for all.I know how to block with a rule but I wonder if there is any cli command for changing default behaviour.For different vendors there is a choice to do this.I see that there is no choice for us.Thanks.

Re: intra-zone default

ukhapre — Thu, 10 Jan 2013 02:32:05 GMT

Hello,

There is no option available to disable the default behaviour but only way is to setup a 'any' 'any' block rule at the bottom to block same zone traffic.

The different zone traffic is not allowed by default. The zones are meant for same area traffic which needs to be allowed.

You may contact SE and request for a 'feature request' to have a configurable option instead of setting up a 'deny all' policy towards bottom.

Hope this helps.

Please mark the answer as 'Correct answer or helpful' if appropriate.