Skip to main content
Infotech22
Infotech22
Explorer III
November 30, 2023
Solved

Firewall Policy - Zones

  • November 30, 2023
  • 1 reply
  • 3946 views

Hello forum,

Can somebody give me an example of using Zones if we are going to use Granular policies.
We will restrict the access as much as we can with our traffic.
Example would be:

  • Clients to DC - Only LDAP, HTTPS etc
  • Clients to Servers - Only RDP etc

 

I can't see any difference in managing all of them since we are going to have a lot of policies.
What is different with using Zones over Interfaces. I don't see any advatages in our case.
This is our current without zones:

 

zones.png

 

How it can be more managable if we are using zones if we need to do a granular permissions for everything.
Each VLAN, each service, ports etc

Best answer by Toshi_Esumi

As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".

Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.

 

In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.

 

Toshi

1 reply

adambomb1219
SuperUser
adambomb1219
SuperUser
November 30, 2023

If you need granular permissions per VLAN, service, etc then don't use zones.  Why do you want to use zones?  

 

Zones are used when you have "similar" interfaces.  Like for example, you have three subnets for your data center and you want the same policies to apply to each of the three VLANs equally, you place those three interfaces into a "DC Zone".

    Infotech22
    Infotech22Author
    Explorer III
    November 30, 2023

    Hello,

    It was recommendation by the external partner, that it will be much easier but as I mention I dont see a benefit if we need granular permissions.
    It will be the same. Even from internal to external its different so there is no much same policies to apply to few subnets

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    November 30, 2023

    As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
    If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".

    Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.

     

    In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.

     

    Toshi

      Terms & ConditionsAccessibility statement