Security Zones

With Security Zones you can create a strong Access Control Policy that controls the traffic between parts of the network.

A Security Zone object represents a part of the network (for example, the internal network or the external network). You assign a network interface of a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to a Security Zone. You can then use the Security Zone objects in the Source and Destination columns of the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

Use Security Zones to:

For example, in the diagram, we have three Security Zones for a typical network: ExternalZone (1), DMZZone (2) and InternalZone (3).

  • Security Gateway (4) has three interfaces. One interface is assigned to ExternalZone (1), one interface is assigned to DMZZone (2), and one interface is assigned to InternalZone (3).

  • Security Gateway (5) has two interfaces. One interface is assigned to ExternalZone (1) and one interface is assigned to InternalZone (3).

A Security Gateway interface can belong to only one Security Zone. Interfaces to different networks can be in the same Security Zone.

Workflow

  1. Configure Security Zone objects.

    Or, use the predefined Security Zones (see Predefined Security Zones ).

  2. Assign Security Gateway interfaces to Security Zones (see Creating and Assigning Security Zones).

  3. Use the Security Zone objects in the Source and Destination of a rule.

    For example:

    Source

    Destination

    VPN

    Service

    Action

    InternalZone

    ExternalZone

    Any Traffic

    Any

    Accept

  4. Install the Access Control Policy (see Installing the Access Control Policy).

Creating and Assigning Security Zones

Before you can use Security Zones in the Rule Base, you must assign Security Gateway interfaces to Security Zones.

To create a Security Zone

  1. In the Objects bar (F11), click New > More > Network Object > Security Zone.

    The Security Zone window opens.

  2. Enter a name for the Security Zone.

  3. Enter an optional comment or tag.

  4. Click OK.

To assign an interface to a Security Zone

  1. In the Gateways & Servers view, right-click a Security Gateway object and select Edit.

    The Gateway Properties window opens.

  2. In the Network Management pane, right-click an interface and select Edit.

    The Interface window opens. The Topology area of the General pane shows the Security Zone to which the interface is already bound. By default, the Security Zone is calculated according to where the interface Leads To.

  3. Click Modify.

    The Topology Settings window opens.

  4. In the Security Zone area, click User Defined and select Specify Security Zone.

  5. From the drop-down box, select a Security Zone.

    Or click New to create a new one.

  6. Click OK.

Predefined Security Zones

These are the predefined Security Zones, and their intended purposes:

  • WirelessZone - Networks that can be accessed by users and applications with a wireless connection.

  • ExternalZone - Networks that are not secure, such as the Internet and other external networks.

  • DMZZone - A DMZ (demilitarized zone) is sometimes referred to as a perimeter network. It contains company servers that can be accessed from external sources.

    A DMZ lets external users and applications access specific internal servers, but prevents the external users accessing secure company networks.

    Add rules to the Security Gateway Rule Base that allow traffic to the company DMZ. For example, a rule that allows HTTP and HTTPs traffic to your web server in the DMZ.

  • InternalZone - Company networks with sensitive data that must be protected and used only by authenticated users.

Limitations

  • NAT policy supports Security Zones only for R81 Security Gateways and higher.

  • The Threat Prevention Policy supports Security Zones only for R81 Security Gateways and higher.

  • If the clean-up rule contains Security Zones, it might prevent the creation of Drop templates for that rule.