Zone Configuration Using the CLI
This section describes how to use a command line interface (CLI) to configure a security zone.
Creating a Security Zone and Adding an Interface to It
A system has four default security zones. You can create security zones and define security levels. After creating a security zone, add an interface to it. After that, all packets on the interface are considered as in the security zone. An interface does not belong to any security zone by default and is unable to communicate with interfaces in security zones.
- Display the system view.
- Create a security zone and display the security zone view.
firewall zone name zone-name [ id id ]
The name parameter is configured based on the following situations:
A security zone already exists.
Run this command without the name and id parameter configured to enter the security zone view.
No security zone exists.
Run this command with the name parameter to create a security zone and enter the security zone view.
Default security zones cannot be deleted.
- Set a priority value for the created security zone.
set priority security-priority
Set a security level (priority) for a security zone based on the following rules:
A security level is only set for a user-defined security zone. A new security zone without a security level configured cannot take effect.
When configuring the interzone ASPF/ALG or interzone SACG interworking policy, you need to set the priority for the security zone. Otherwise, the interzone ASPF/ALG or interzone SACG interworking policy does not take effect. You do not need to configure the priority when configuring other services. Two security zones that are not configured with priorities cannot form an interzone, and priorities of two security zones that form an interzone cannot be deleted.
- Assign an interface to a security zone.
add interface interface-type interface-number
A Local zone defines a device itself, including the interfaces on the device. Although an interface is assigned to a security zone, only the network connected to the interface is in the security zone, and the interface is in the Local zone.
Add an interface to a security zone based on the following rules:
- Interfaces can only be manually assigned to security zone, except for the Local zone.
- Either a physical or logical interface can be assigned to a security zone.
- A maximum of 1024 interfaces can be assigned to a security zone.
- Optional: Configure the description of the security zone.
description text
Appropriate descriptions help the administrator learn system configurations and device maintenance.
Entering the Security Interzone View
The device performs security checks only on data flows between security zones. Before controlling traffic between security zones, enter the security interzone and apply various security functions.
Two related security zones must be already created. For details, see Creating a Security Zone and Adding an Interface to It.
After a new security zone is created, the view of the interzone between the security zone and another security zone is automatically created.
- Display the system view.
system-view
- Display the view of the interzone between two security zones.
firewall interzone zone-name1 zone-name2
Security policy checks are triggered when the data flows in security interzones. After entering the security interzone view, you can configure security functions, such as application specific packet filter (ASPF).
Maintaining Security Zones
By checking the configurations and traffic status of security zones, you can learn the network status and determine how to deploy security policies in an interzone.
Table 1 lists the commands used to display security zone configurations.
Action |
Command |
|---|---|
Display information about existing security zones, their security levels, and added interfaces. |
display zone [ zone-name ] [ interface | priority ] |
Display information about security policies configured in a security interzone. |
display interzone [ zone-name1 zone-name2 ] |