Configuring Interfaces and Security Zones
Context
A security zone is a collection of networks connected through one or more interfaces. Users on the networks in a security zone have the same security attributes. Most security policies are implemented based on security zones. Each security zone identifies a network, and a firewall connects the networks. Firewalls use security zones to divide networks and mark the routes of packets. When packets travel between security zones, security check is triggered and corresponding security policies are enforced. Security zones are isolated by default.
A campus network itself is considered secure, but is faced with security threats from the outside. Therefore, allocate the Internet to the untrusted zone and the campus network to the trusted zone. Deploy security devices at the campus network egress to isolate the intranet from the Internet and defend against external threats. Allocate the data center to the DMZ, and deploy firewalls in the DMZ to isolate traffic between the campus intranet and servers in the data center. Figure 5-5 shows the interface plan for the egress network.
Plan Example
Device |
Interface Name |
Interface Type |
Virtual System |
Security Zone |
Mode |
Member Interfaces |
Other Parameters |
|---|---|---|---|---|---|---|---|
FW-a |
Eth-Trunk1 |
Aggregation interface |
public |
- |
Routing |
GE1/0/1; GE1/0/2 |
Default |
FW-b |
Eth-Trunk1 |
Aggregation interface |
public |
- |
Routing |
GE1/0/1; GE1/0/2 |
Default |
Device |
Interface Name |
Virtual System |
Security Zone |
Mode |
VLAN Tag |
Connection Type |
IP Address |
Default Gateway |
Other Parameters |
Remarks |
|---|---|---|---|---|---|---|---|---|---|---|
FW-a |
GE1/0/3 |
public |
dmz |
Routing |
- |
Static IP |
192.168.150.1/30 |
- |
Default |
Interface for connecting the heartbeat link of the firewalls in hot standby mode |
GE1/0/4 |
public |
untrust |
Routing |
- |
Static IP |
192.0.2.2/24 |
192.0.2.1 |
Default |
Interface on FW-a connected to ISP1 |
|
GE1/0/5 |
public |
untrust |
Routing |
- |
Static IP |
198.51.100.2/24 |
198.51.100.1 |
Default |
Interface on FW-a connected to ISP2 |
|
Eth-Trunk1 |
public |
trust |
Routing |
1800 |
Static IP |
192.168.10.2/24 |
- |
Default |
Interface for communication between the campus intranet and external networks |
|
FW-b |
GE1/0/3 |
public |
dmz |
Routing |
- |
Static IP |
192.168.150.2/30 |
- |
Default |
Interface for connecting the heartbeat link of the firewalls in hot standby mode |
GE1/0/4 |
public |
untrust |
Routing |
- |
Static IP |
192.0.2.3/24 |
192.0.2.1 |
Default |
Interface on FW-b connected to ISP1 |
|
GE1/0/5 |
public |
untrust |
Routing |
- |
Static IP |
198.51.100.3/24 |
198.51.100.1 |
Default |
Interface on FW-b connected to ISP2 |
|
Eth-Trunk1 |
public |
trust |
Routing |
1800 |
Static IP |
192.168.10.3/24 |
- |
Default |
Interface for communication between the campus intranet and external networks |
Procedure
- Choose Network > Interface. Click Add and create an Eth-Trunk.
- Click
in the row where the interface to be configured resides and modify the interface configuration.
in the row where the interface to be configured resides and modify the interface configuration.