Security Zones create a strong Access Control Policy that controls all traffic between parts of the network.
A Security Zone object represents a part of the network (for example, the internal network or the external network). When you assign a network interface of a Security Gateway to a Security Zone, you can then use the Security Zone objects in the Source and Destination columns of the Rule Base.
Use Security Zones to:
- Simplify the Policy and apply the same rule to many Security Gateways.
- Add networks to Security Gateways' interfaces without changing the Rule Base.
Predefined Security Zones
These are the predefined security zones and their intended purposes:
- WirelessZone - Networks that can be accessed by users and applications with a wireless connection.
- ExternalZone - Networks that are not secure, such as the Internet and other external networks.
- DMZZone - A DMZ (demilitarized zone) is sometimes referred to as a perimeter network. It contains company servers that can be accessed from external sources. A DMZ lets external users and applications access specific internal servers, but prevents the external users from accessing secure company networks. Add rules to the firewall Rule Base that allow traffic to the company DMZ: for example, a rule that allows HTTP and HTTPS traffic to your web server in the DMZ.
- InternalZone - Company networks with sensitive data that must be protected and used only by authenticated users.
Limitations
- The current implementation operates independently of the Anti-Spoofing functionality.
- It is not supported to use Security Zone objects in the NAT policy on Security Gateways R80.40 and lower.
- Using Security Zone in the clean-up rules might prevent the creation of drop templates for that rule.
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|
