Controlling Traffic by Security Zone
License: Any
Zone conditions in access control rules allow you to control traffic by its source and destination security zones. A security zone is a grouping of one or more interfaces.
As a simple example, you could create two zones: Internal and External, and assign the first pair of interfaces on the device to those zones. Hosts connected to the network on the Internal side represent your protected assets.
To extend this scenario, you could deploy additional identically configured devices to protect similar resources in several different locations. Each of these devices protects the assets in its Internal security zone.
Tip |
You are not required to group all internal (or external) interfaces into a single zone. Choose the grouping that makes sense for your deployment and security policies. For more information on creating zones, see Working with Security Zones. |
In this deployment, you may decide that although you want these hosts to have unrestricted access to the Internet, you nevertheless want to protect them by inspecting incoming traffic for intrusions and malware.
To accomplish this using access control, configure an access control rule with a zone condition where the Destination Zone is set to Internal. This simple access control rule matches traffic that leaves the device from any interface in the Internal zone.
To ensure that the system inspects matching traffic for intrusions and malware, choose a rule action of Allow, then associate this rule with an intrusion and a file policy.
If you want to build a more complex rule, you can add a maximum of 50 zones to each of the Source Zones and Destination Zones in a single zone condition:
-
To match traffic leaving the device from an interface in the zone, add that zone to the Destination Zones.
Because devices deployed passively do not transmit traffic, you cannot use a zone comprised of passive interfaces in a Destination Zone condition.
-
To match traffic entering the device from an interface in the zone, add that zone to the Source Zones.
-
If you add both source and destination zone conditions to a rule, matching traffic must originate from one of the specified source zones and egress through one of the destination zones.
When building a zone condition, warning icons indicate invalid configurations. For details, Troubleshooting Access Control Policies and Rules.
To control traffic by zone:
Procedure
Step 1 |
In the access control policy where you want to control traffic by zone, create a new access control rule or edit an existing rule. For detailed instructions, see Creating and Editing Access Control Rules. |
Step 2 |
In the rule editor, select the Zones tab. The Zones tab appears. |
Step 3 |
Find and select the zones you want to add from the Available Zones. To search for zones to add, click the Search by name prompt above the Available Zones list, then type a zone name. The list updates as you type to display matching zones. Click to select a zone. To select multiple zones, use the Shift and Ctrl keys, or right-click and then select Select All. |
Step 4 |
Click Add to Source or Add to Destination to add the selected zones to the appropriate list. You can also drag and drop selected zones. |
Step 5 |
Save or continue editing the rule. You must apply the access control policy for your changes to take effect; see Deploying Configuration Changes. |