byreaper02-21-201706:36 AM - edited 05-11-201708:02 AM
Migrating security platforms can be a Herculean task, especially when moving from a non-zone based system and needing to build a security policy up from scratch. Soon enough, you might start to look like this guy:
When creating a security policy, there's a dropdown called 'Rule Type' available that can considerably change the dynamic of how security policies work for you, if applied appropriately!
The difference in behavior introduced by this seemingly simple 'type' is pretty significant, as it changes a policy from a traditional any object in the source field to any object in the destination field to an exclusive operator.
An 'intrazone' type policy will only allow (or block) sessions inside the same zone, this can be very useful when the firewall is set up in Layer 2 mode and is bridging VLANs from one switch stack to the other where each VLAN is represented by a zone.
An 'interzone' type policy is the exact opposite, it will only allow sessions from one zone to a different zone, even if the same zone is listed in the destination field, which is useful when a lot of bidirectional policies need to be set up without inadvertently allowing or blocking sessions inside a zone.