Technical Documentation

• Downloads
• Zone Configurations for Root and Vsys Overview    

• Related Topics
• Interface Configurations for Root and Vsys Overview
• Virtual Router Configurations for Root and Vsys Overview
• Viewing Root and Vsys Configurations

Zone Configurations for Root and Vsys Overview

At the root-level, you can configure a zone as shareable, enabling that zone to be used by all vsys. To share a zone, the zone must be in a shared virtual router; however, a shared virtual router can contain both shared and unshared zones.

Note: For details on configuring zones in L2V mode, see .

At the vsys level, zones are automatically created or inherited as described in Table 1.

Table 1: Zone Configuration for Root and Vsys

Zones	Description
All shared zones	These zones are inherited from the root device.
Shared Null zone	This zone is inherited from the root device.
Trust-vsys_name zone	This zone is created by default when you create the vsys.
Untrust-Tun-vsys_name zone	This zone is created by default when you create the vsys.
Global-vsys_name zone	This zone is created by default when you create the vsys.

Each vsys also supports user-defined security zones; you can bind these zones to any shared virtual routers defined at the root level or to the virtual router dedicated to that vsys.

Note: In ScreenOS 6.2, a new shared zone called shared-DMZ allows inter-vsys communications. NAT is also available for traffic from vsys-to-vsys based on the shared-DMZ zone to solve overlapping address issues. For details on configuring the shared DMZ zone, see the Managing Inter-Vsys Traffic with Shared DMZ Zones.