Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Zone Configurations for Root and Vsys Overview

 

At the root-level, you can configure a zone as shareable, enabling that zone to be used by all vsys. To share a zone, the zone must be in a shared virtual router; however, a shared virtual router can contain both shared and unshared zones.

Note

For details on configuring zones in L2V mode, see L2V VLAN Groups in NSM Overview.

At the root level, all zones are available by default, as shown in Table 1.

Table 1: Root-Level Zone Configuration

Zone

Attribute

Description

Null

Shared

This zone is available by default.

Untrust

Shared

This zone is available by default.

Trust

Local

This zone is available by default.

DMZ

Local

This zone is available by default.

Self

Local

This zone is available by default.

MGT

Local

This zone is available by default.

HA

Local

This zone is available by default.

Global

Local

This zone is available by default.

Note
  • If an attribute for a root device is shared, the corresponding zone is inherited by all vsys devices that belong to the corresponding root device.

  • All shared zones of the root device are inherited by all vsys devices that belong to the root device.

  • If an attribute is local, corresponding zones are only applicable to corresponding root device.

At the vsys level, zones are automatically created or inherited as described in Table 2.

Table 2: Vsys-Level Zone Configuration

Zone

Attribute

Description

Trust-vsys_name

Local

This zone is created by default when you create the vsys.

Untrust-Tun-vsys_name

Local

This zone is created by default when you create the vsys.

Global-vsys_name

Local

This zone is created by default when you create the vsys.

Null

Shared

This zone is inherited from the root device.

Note
  • All shared zones of the root device are inherited by all vsys devices that belong to the root device.

  • If an attribute is local, corresponding zones are only applicable to corresponding VSYS device.

Each vsys also supports user-defined security zones; you can bind these zones to any shared virtual routers defined at the root level or to the virtual router dedicated to that vsys.

Note

In ScreenOS 6.2, a new shared zone called shared-DMZ allows inter-vsys communications. NAT is also available for traffic from vsys-to-vsys based on the shared-DMZ zone to solve overlapping address issues. For details on configuring the shared DMZ zone, see the Managing Inter-Vsys Traffic with Shared DMZ Zones.