- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-24-2011 12:51 PM
This is a simple one, but I couldn't find it specifically stated in the manual.
When I define a security policy, are the Zone and Address exclusive of each other? In other words, if I select a zone,it requires I put in specific IP's or select Any. If I leave the IP's as any, but select a specific zone, will it only allow IP's from within that zone - or will it allow Any in addition to the zone? Or do I have to select the zone and then specifiy what IP's in that zone I want to have the policy apply to?
I hope that makes sense - the only way I could come up with to explain it seems a bit confusing - even to me....
08-24-2011 02:46 PM
If your rule has Zone A to Zone B specified and IP address source and destination of any, then the traffic will be filtered based on zones only regardless of IP. Entering in an IP address is not required, if you want to only filter on zones this can be done as long as your source and destination IPs are "any". Typically you assign interfaces to Zones so you need to understand your network topology to understand what traffic is coming through each zone, but when filtering at the zone level IP addresses do not need to be specified.
For Example:
I want all of my internal users to access anything in our DMZ and the web and my DMZ to be able to access the Web I would create 3 zones...
Zone A = Internal Users, multiple subnets and IPs
Zone B = DMZ multiple subnets and IPs
Zone C = Internet multiple subnets and IPs
My rule would go something like this:
Name | S. Zone | D. Zone | S. Address | D. Address | Application | Service | Action | |||
---|---|---|---|---|---|---|---|---|---|---|
Rule 1 | Zone A | Zone B Zone C | Any | Any | Any | Any | Allow | |||
Rule 2 | Zone B | Zone C | Any | Any | Any | Any | Allow | |||
No Specific IPs need to be listed to put these rules in.
08-25-2011 10:07 AM
OK, just to make sure I understand this correctly...
If I want traffic to hit a destination IP, I leave the Destination Zone as Any and enter the IP in Destination Address?
08-29-2011 11:29 AM
If you know which zone the destination IP is in, then I would recommend you specify the destination zone and IP address. However, this is not a requirement. You can also leave the zone as any. It depends on your organizations, topology, security policies and best practices but either way will work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!