No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Zone and Interzone

Security Zone and Interzone

Firewall functions are implemented based on security zones and interzones.

Security Zone

A security zone (zone for short) is an interface or a group of interfaces with the same security attributes. Each zone has a globally unique security priority.

The firewall considers data flows transmitted within a zone reliable and implements no security policy for these data flows. It checks security and implements security policies for data flows transmitted from one zone to another.


Any two zones form an interzone, which has an independent interzone view. Most firewall configurations are performed in the interzone view.

For example, zone1 and zone2 form an interzone. You can configure an ACL-based packet filter in the interzone view to filter data flows transmitted between zone1 and zone2.

After the firewall is enabled in an interzone, when a user in the high-priority zone connects to the low-priority zone, the firewall records information such as the IP address and VPN in the request packet and generates a session. When receiving the response packet, the firewall checks the packet information. Because the packet information has been recorded in the session table, the firewall allows the response packet to pass. By default, a user in the low-priority zone cannot connect to the high-priority zone. To allow internal users to access the external network and prevent external users from accessing the internal network, configure the internal network as a high-priority zone and the external network as a low-priority zone.

Advantages of the Zone-based Firewall

On traditional switches and routers, policies are configured based on inbound or outbound interfaces. As the firewall technology develops, a firewall controls communication between an internal network, an external network, and a demilitarized zone (DMZ). Interface-based policy configuration increases workload of the network administrator, and incorrect configurations bring security risks.

Some firewalls support global security policy configuration. This configuration method does not allow different security policies on interfaces or zones, which limit application of firewalls.

Compared with interface based and global configuration, zone-based firewall configuration adds a group of interfaces to security zones and applies security policies to zones, simplifying configuration while maintaining flexibility. Zone-based firewall configuration reduces workload of the network administrator and allows different security policies to be applied in complex networking.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 128696

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next