3.5. Zones

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

A Zone object is a means for grouping together interfaces. More specifically, it provides a means for grouping together both interfaces on a single firewall as well as interfaces across multiple firewalls when they are under management control by InCenter.

To define such a grouping of interfaces, a named Zone object is first created and then this is assigned to the Zone property of the interfaces within the zone. One interface can only reference a single zone but many interfaces may reference the same zone.

This is similar to the way InterfaceGroup objects are used. However, unlike an InterfaceGroup, which can refer to one or more interfaces, the referencing with zones is in the reverse direction and it is one-to-one; a single Zone object can be referred to by an interface.

The Intended Purpose of Zones with InCenter

The intended usage of zones, and why they are needed in addition to InterfaceGroup objects, is to be able to specify a global configuration rule in InCenter, such as an IPRule, which can then be deployed to multiple firewalls. The firewalls involved may have different interface types and naming but the zone membership of these interfaces will allow the deployed rule to be applied successfully.

When using zones in this way, the assignment of a zone to an interface should be done in InCenter after the firewall has been brought under centralized management device as a global device (which will reset the firewall's configuration to the factory default on import).

However, it is also possible for the feature to be used on a firewall not under InCenter control, as an alternative to using InterfaceGroup objects.

Object Types That Can Use Zones

Like an InterfaceGroup, a Zone can be referred to by Ethernet interfaces or it could be referred to by other interface types such as VLAN interfaces or IPsec Tunnels. In addition, different interface types can refer to the same Zone. For example, an Ethernet interface and a VLAN interface might have their Zone property set to the same Zone object.

A Zone object can be used in any of the following object types and properties:

SSLVPNServer - SourceInterface.
GRETunnel - SourceInterface.
IPsecTunnel - SourceInterface.
IPsecManualKeyedTunnel - SourceInterface.
IPRule - SourceInterface and DestinationInterface.
TrafficShapingRule - SourceInterface and DestinationInterface.
AccessRule - Interface.
RemoteMgmtSSH - SourceInterface and DestinationInterface.
RemoteMgmtSNMP - SourceInterface and DestinationInterface.
RemoteMgmtSNMP3 - SourceInterface and DestinationInterface.
BGPNeighbor - SourceInterface.
ThresholdRule - SourceInterface and DestinationInterface.
RoutingRule - SourceInterface.
WhitelistRule - SourceInterface.
IPSRule - SourceInterface and DestinationInterface.

Zones Appear in Log Messages

Where zones can be used with a configuration object, the zone settings will appear in log messages related to the object being triggered. Below is an example log message that shows this:

prio=warning id=00000 event=no_route_to_source srcip=fe80::1
pkt_flowdir=n/a pkt_srchw=00:50:56:c0:00:0b pkt_ipver=6 pkt_proto=UDP
pkt_recvif=if2 pkt_recvzone=FriendZone pkt_srcip=fe80::1
pkt_destip=ff02::1:2 pkt_srcport=546 pkt_destport=547 iface=if2
zone=FriendZone action=drop

If an interface object property has not been assigned a zone object then it will appear as "n/a" in the log message (short for Not Assigned). The example log message below illustrates this:

prio=warning id=00000 event=no_source_route_for_packet
srchw=00:50:55:c0:00:0c srcip=fc03::64 destip=ff02::1:ff00:1
targetip=fc03::1 pkt_flowdir=n/a pkt_srchw=00:50:55:c0:00:0c
pkt_ipver=6 pkt_proto=ICMPv6 pkt_recvif=if3 pkt_recvzone=n/a
pkt_srcip=fc03::64 pkt_destip=ff02::1:ff00:1 pkt_type=135
pkt_code=0 pkt_id=0 iface=if3 zone=n/a action=drop

Example 3.4. Creating a Zone and Setting a Reference to the Zone

This example creates a Zone called my_zone1 and then sets the interfaces if1 and if2 to belong to it. Finally, an IPRule object is created to allow traffic from my_zone1 to a second zone called my_zone2. It is assumed that my_zone2 has already been created and contains other interfaces.

Command-Line Interface

1. Create the new Zone object:

System:/> add Interface Zone my_zone1

2. Set interface if2 to belong to the zone:

System:/> set Interface EthernetInterface if1 Zone=my_zone1

3. Set interface if3 to belong to the zone:

System:/> set Interface EthernetInterface if2 Zone=my_zone1

4. Create an IP rule to allow traffic from my_zone1 to a second zone called my_zone2:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			Service=all_services
			SourceInterface=my_zone1
			SourceNetwork=all-nets
			DestinationInterface=my_zone2
			DestinationNetwork=all-nets
			Name=allow_zone1_to_zone2