Adding a Security Zone

A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies. Security zones are logical entities to which one or more interfaces are bound. You can define multiple security zones, the exact number of which you determine based on your network needs.

An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone. Through the policies you define, you can permit traffic between zones to flow in one direction or in both. With the routes that you define, you specify the interfaces that traffic from one zone to another must use. Because you can bind multiple interfaces to a zone, the routes you chart are important for directing traffic to the interfaces of your choice. An interface can be configured with an IPv4 address, IPv6 address, or both.

Security zones have the following properties:

Use this page to configure zones and assign interfaces to them.

Procedure

To create a security zone:

  1. Select Resources > Devices .

    The Devices page appears.

  2. Click the device name that you want to configure.

    The Device-Name page appears

  3. Click the Configuration tab.

    The Physical Interfaces, Routing Instances, and Zones tab appears.

  4. Click Zones tab.

    The Zones page appears.

  5. Click the plus icon (+) .

    The Add New Zone page appears.

  6. Complete the configuration settings according to the guidelines provided inTable 82.
  7. Click OK to save the changes.

Table 82: Fields on the Add New Zone Page

 

Field

Description

General Information 

Name

Enter a unique string of alphanumeric characters, and some special characters, such as dashes, and underscores.The maximum length is 31 characters.

Description

Enter a description for the zone; the maximum length is 900 characters.

Application Tracking

Select the checkbox to maintain application usage statistics on a device.

Interfaces

From the list of interfaces in the Available column, select the interfaces that you want to include in the new zone and click the greater-than icon (>). The selected interfaces are moved to the Selected column.

System Services

From the list of system services in the Available column, select the system services that you want to include in the new zone and click the greater-than icon (>). The selected system services are moved to the Selected column.

Is Except

Select the checkbox to disable specific incoming system service traffic, only when all system services option is defined.

Protocols

From the list of protocols in the Available column, select the protocols that you want to include in the new zone and click the greater-than icon (>). The selected protocols are moved to the Selected column.

Is Except

Select this option to disable specific incoming protocol traffic, only when all protocols option is defined.

Traffic Control Options 

TCP RST

Select the checkbox to enable sending TCP packets with the RST (reset) flag set to 1 in response to TCP packets with any flag other than SYN set and that do not belong to an existing session.

Screen

Enter a predefined security screen for a security zone to detect and block various kinds of traffic that the device determines as potentially harmful.

Interface Services and Protocols

View the summary of interface, services and protocols for your device.