Zone Configurations for Root and Vsys Overview

At the root-level, you can configure a zone as shareable, enabling that zone to be used by all vsys. To share a zone, the zone must be in a shared virtual router; however, a shared virtual router can contain both shared and unshared zones.

Note: For details on configuring zones in L2V mode, see L2V VLAN Groups in NSM Overview.

At the vsys level, zones are automatically created or inherited as described in Table 62.

Table 62: Zone Configuration for Root and Vsys

Zones

Description

All shared zones

These zones are inherited from the root device.

Shared Null zone

This zone is inherited from the root device.

Trust-vsys_name zone

This zone is created by default when you create the vsys.

Untrust-Tun-vsys_name zone

This zone is created by default when you create the vsys.

Global-vsys_name zone

This zone is created by default when you create the vsys.

Each vsys also supports user-defined security zones; you can bind these zones to any shared virtual routers defined at the root level or to the virtual router dedicated to that vsys.

Note: In ScreenOS 6.2, a new shared zone called shared-DMZ allows inter-vsys communications. NAT is also available for traffic from vsys-to-vsys based on the shared-DMZ zone to solve overlapping address issues. For details on configuring the shared DMZ zone, see the Managing Inter-Vsys Traffic with Shared DMZ Zones.

Related Documentation