- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy for zone members
Dear All,
I try to make a policy in which one of the interface is a zone member, but I can not choose that from the interface list. It seems the zone members can not be used separately. Some interface has common rules, while in addition to those there are rules that specific only for one interface. Is there any hack for this? Thank you
Solved! Go to Solution.
- Labels:
-
6.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question.
In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question.
In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using a policy with interfaces "zone" to "zone" and filtering by address is not uncommon when you use zones - assuming intrazone traffic is blocked. If you compare it to a regular policy, traffic in those is selected/filtered by address as well. So, no reason not to use this setup, it's valid and safe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answers!
