Managing Inter-Vsys Traffic with Shared DMZ Zones

Virtual systems across different zones generally use a shared untrust zone for communication. However, inter-vsys traffic through a shared untrust zone is often interrupted by external traffic. To overcome such traffic interference in the shared untrust zone, you can use a shared DMZ zone created at the root level. Each shared DMZ zone that the root admin creates is automatically assigned to a shared DMZ virtual router (VR). The root admin also determines to which shared DMZ zone a particular vsys should be subscribed. A shared DMZ zone is shared only with the virtual systems that are subscribed to it. However, each vsys can be subscribed to only one shared DMZ zone. A shared DMZ zone works only on a security device running in NAT/route mode and cannot be bound to any interface other than the loopback interface. However, the default interface for the shared DMZ zone is null.

Related Documentation