Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Zones and Zone Properties in ScreenOS Devices Overview


The Zone screen is where you can configure predefined zones or create user-defined security zones. You can also create a tunnel zone, which is a logical segment to which a VPN tunnel interface is bound.

A security device supports two types of zones:

  • Security zone—A Layer 3 security zone binds to NAT or Route mode interfaces; a Layer 2 security zone binds to Transparent mode interfaces.


    When you add a device and configure it to operate in Transparent mode, the L2 zone names appear in the NSM UI without the “ V1-” prefix. When you update the configuration on the device from the UI, the correct L2 zone names are configured.

  • Tunnel zone—A zone that binds to a carrier zone.

To add a zone to a security device, in the device navigation tree, select Network > Zone and add the desired zone. For Security Zones, you might define the name of the zone and the virtual router in which you want to place the zone; For tunnel zones, you must also specify the carrier zone, which is the security zone with which the tunnel zone is logically associated. A carrier zone provides firewall protection to the encapsulated traffic.

For more information about zones on security devices, refer to the Concepts & Examples ScreenOS Reference Guide: Fundamentals.

You can configure general properties and SCREEN attack protection for predefined or custom Security Zones.

Zone General Properties

For predefined zones, some general properties are already configured for you, such as the Name and Virtual Router settings. For custom security zones, you can enter a name and select the virtual router that handles traffic to and from the new zone.

For both predefined and custom zones, you can configure the settings as described in Table 1.

Table 1: Zone General Properties

Custom Zone Settings


TCP/IP Reassembly for ALG

Select this option when using Application Layer Gateway (ALG) filtering on the security device. By reassembling fragmented IP packets and TCP segments, the security device can accurately filter traffic.

Block Intrazone Traffic

Select this option to block traffic between hosts within the security zone.


Select this option to return a TCP segment with the RESET flag set to 1 when a TCP segment with a flag other than SYN is received.

Asymmetric VPN

In asymmetrical encryption, one key in a pair is used to encrypt and the other to decrypt VPN traffic. When configuring multiple VPN tunnels to enable tunnel failover, enable this option for the Trust zones on each security device in the VPN so that if an existing session established on one VPN tunnel transfers to another, the security device at the other end of the tunnel does not reject it.