Security zone is a logical entity. One or more interfaces can be bound to one zone. A zone applied with a policy is known as a security zone, while a zone created for a specific function is known as a functional zone. Zones have the following features:
An interface should be bound to a zone. A Layer 2 zone will be bound to a VSwitch, while a Layer 3 zone will be bound to a VRouter. Therefore, the VSwitch to which a Layer 2 zone is bound decides which VSwitch the interfaces belong to in that Layer 2 zone, and the VRouter to which a Layer 3 zone is bound decides which VRouter the interfaces belong to in that Layer 3 zone.
Interfaces in Layer 2 and Layer 3 are working in Layer 2 mode and Layer 3 mode respectively.
System supports internal zone policies, like trust-to-trust policy rule.
There are 8 pre-defined security zones in StoneOS, which are trust, untrust, dmz, L2-trust, L2-untrust, L2-dmz, vpnhub (VPN functional zone) and ha (HA functional zone). You can also customize security zones. Pre-defined security zones and user-defined security zones have no difference in functions, so you can make your choice freely.
Configuring a Security Zone
To create a security zone, take the following steps：
- Select Network > Zone.
- Click New.
In the Zone Configuration text box, type the name of the zone into the Zone box.
- Type the descriptions of the zone in the Description text box.
Specify a type for the security zone. For a Layer 2 zone, select a VSwitch for the zone from the VSwitch drop-down list below; for a Layer-3 zone, select a VRouter from the Virtual Router drop-down list. If TAP is selected, the zone created is a tap zone, which is used in Bypass mode.
Bind interfaces to the zone. Select an interface from the Binding Interface drop-down list.
- If needed, select the Enable check box to enable APP identification for the zone.
- If needed, select the Enable check box to set the zone to a WAN zone, assuring the accuracy of the statistic analysis sets that are based on IP data.
- If needed, select the Enable check box to enable NetBIOS host query for the zone.
For detailed instructions, see DNS.
- If needed, select Threat Protection tab and configure the parameters for Threat Protection function. For detailed instructions, see Threat Prevention.
- If needed, select Data Security tab and configure the parameters for Data Security function. For detailed instructions, see Data Security.
- If needed, select End Point Prevention tab and configure the parameters for End Point Prevention function. For detailed instructions, see End Point Protection.
- If needed, select IoT Monitor tab and configure the parameters for IoT Monitor function. For detailed instructions, see IoT Policy.
- Click OK.
Pre-defined zones cannot be deleted.
When changing the VSwitch to which a zone belong, make sure there is no binding interface in the zone.