Simple Policy Question
Showing results for 
Search instead for 
Did you mean: 

Simple Policy Question

L1 Bithead

This is a simple one, but I couldn't find it specifically stated in the manual.

When I define a security policy, are the Zone and Address exclusive of each other?  In other words, if I select a zone,it requires I put in specific IP's or select Any.  If I leave the IP's as any, but select a specific zone, will it only allow IP's from within that zone - or will it allow Any in addition to the zone?  Or do I have to select the zone and then specifiy what IP's in that zone I want to have the policy apply to?

I hope that makes sense -  the only way I could come up with to explain it seems a bit confusing - even to me....


Not applicable

If your rule has Zone A to Zone B specified and IP address source and destination of any, then the traffic will be filtered based on zones only regardless of IP. Entering in an IP address is not required, if you want to only filter on zones this can be done as long as your source and destination IPs are "any". Typically you assign interfaces to Zones so you need to understand your network topology to understand what traffic is coming through each zone, but when filtering at the zone level IP addresses do not need to be specified.

For Example:

I want all of my internal users to access anything in our DMZ and the web and my DMZ to be able to access the Web I would create 3 zones...

Zone A = Internal Users, multiple subnets and IPs

Zone B = DMZ multiple subnets and IPs

Zone C = Internet multiple subnets and IPs

My rule would go something like this:

NameS. ZoneD. ZoneS. AddressD. AddressApplicationServiceAction

Rule 1Zone A

Zone B

Zone C

Any AnyAnyAnyAllow
Rule 2Zone BZone CAnyAnyAnyAnyAllow

No Specific IPs need to be listed to put these rules in.

OK, just to make sure I understand this correctly...

If I want traffic to hit a destination IP, I leave the Destination Zone as Any and enter the IP in Destination Address?

If you know which zone the destination IP is in, then I would recommend you specify the destination zone and IP address. However, this is not a requirement. You can also leave the zone as any. It depends on your organizations, topology, security policies and best practices but either way will work.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!