Security Zone

What can I do here?

Use this window to edit or create a security zone.

Getting Here - Object Explorer > New > Network Object > Security Zone

Security Zones

Security Zones let you to create a strong Access Control Policy that controls the traffic between parts of the network.

A Security Zone object represents a part of the network (for example, the internal network or the external network). You assign a network interface of a Security Gateway to a Security Zone. You can then use the Security Zone objects in the Source and Destination columns of the Rule Base.

Use Security Zones to:

Simplify the Policy. Apply the same rule to many Gateways.
Add networks to Gateways interfaces without changing the Rule Base.

For example, in the diagram, we have three Security Zones for a typical network: ExternalZone (1), DMZZone (2) and InternalZone (3).

Gateway (4) has three interfaces. One interface is assigned to ExternalZone (1), one interface is assigned to DMZZone (2), and one interface is assigned to InternalZone (3).
Gateway (5) has two interfaces. One interface is assigned to ExternalZone (1) and one interface is assigned to InternalZone (3).

A Security Gateway interface can belong to only one Security Zone. Interfaces to different networks can be in the same Security Zone.

Workflow

Define Security Zone objects. Or, use the predefined Security Zones.
Assign Gateway interfaces to Security Zones.
Use the Security Zone objects in the Source and Destination of a rule. For example:

Source

Destination

VPN

Service

Action

InternalZone

ExternalZone

Any Traffic

Any

Accept
Install the Access Control Policy.

Source	Destination	VPN	Service	Action
InternalZone	ExternalZone	Any Traffic	Any	Accept

Creating and Assigning Security Zones

Before you can use Security Zones in the Rule Base, you must assign Gateway interfaces to Security Zones.

To create a Security Zone:

In the Objects bar (F11), click New > More > Network Object > Security Zone.
The Security Zone window opens.
Enter a name for the Security Zone.
Enter an optional comment or tag.
Click OK.

To assign an interface to a Security Zone

In the Gateways & Servers view, right-click a Security Gateway object and select Edit.
The Gateway Properties window opens.
In the Network Management pane, right-click an interface and select Edit.
The Interface window opens. The Topology area of the General pane shows the Security Zone to which the interface is already bound. By default, the Security Zone is calculated according to where the interface Leads To.
Click Modify.
The Topology Settings window opens.
In the Security Zone area, click User Defined and select Specify Security Zone.
From the drop-down box, select a Security Zone.
Or click New to create a new one.
Click OK.

Predefined Security Zones

These are the predefined security zones, and their intended purposes:

WirelessZone - Networks that can be accessed by users and applications with a wireless connection.
ExternalZone - Networks that are not secure, such as the Internet and other external networks.
DMZZone - A DMZ (demilitarized zone) is sometimes referred to as a perimeter network. It contains company servers that can be accessed from external sources.
A DMZ lets external users and applications access specific internal servers, but prevents the external users accessing secure company networks. Add rules to the firewall Rule Base that allow traffic to the company DMZ. For example, a rule that allows HTTP and HTTPs traffic to your web server in the DMZ.
InternalZone - Company networks with sensitive data that must be protected and used only by authenticated users.