What’s this security policy ‘type’ thing anyway?

by ‎02-21-2017 06:36 AM - edited ‎05-11-2017 08:02 AM (1,957 Views)

Migrating security platforms can be a Herculean task, especially when moving from a non-zone based system and needing to build a security policy up from scratch. Soon enough, you might start to look like this guy:

 

gngng.jpg

 

 

When creating a security policy, there's a dropdown called 'Rule Type' available that can considerably change the dynamic of how security policies work for you, if applied appropriately!

rule type.png

 

The difference in behavior introduced by this seemingly simple 'type' is pretty significant, as it changes a policy from a traditional any object in the source field to any object in the destination field to an exclusive operator.

 

An 'intrazone' type policy will only allow (or block) sessions inside the same zone, this can be very useful when the firewall is set up in Layer 2 mode and is bridging VLANs from one switch stack to the other where each VLAN is represented by a zone.

 

An 'interzone' type policy is the exact opposite, it will only allow sessions from one zone to a different zone, even if the same zone is listed in the destination field, which is useful when a lot of bidirectional policies need to be set up without inadvertently allowing or blocking sessions inside a zone.

 

zone types.png

 

Another cool resource to help you tighten up security with a few nifty tricks, please check out this article: Optimize Your Security Policy

 

Reaper out

Ask Questions Get Answers Join the Live Community