You are here: Cookbook > Getting Started > Using Security Policy to Allow Access to Another Zone

Using Security Policy to Allow Access to Another Zone

This example introduces how to use security policies to control communication between two zones.

The scenario sets up a requirement that the private network users are not allowed to access Internet during work time. As the topology described, polices and schedules work together to allow internal users to access to server in another zone during work hour (9 a.m. to 17 p.m.). When it's not working time, the server cannot be accessed.

Step 1: Configuring Interface

1. Configuring the interface connected to private network

Select Network > Interface, double click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • Type: Static IP
  • IP Address: 192.168.1.1
  • Netmask: 255.255.255.0

2. Configuring the interface connected to Server

Select Network > Interface, double click ethernet0/2.

  • Binding Zone: Layer 3 Zone
  • Zone: dmz
  • Type: Static IP
  • IP Address: 10.10.1.1
  • Netmask: 255.255.255.0
Step 2: Configuring Schedule

Select Object > Schedule, and click New. In the prompt, click Add.

  • Name: work hour
  • Type: Daily
  • Start Time: 09:00
  • End Time: 17:00

Click OK to add it.

Step 3: Configuring Policies

1. Configuring a policy to allow internal users access to server during work hour

Select Policy > Security Policy, and click Add.

  • Name: work
  • Source
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: dmz
    • Address: Any
  • Other Information
    • Schedule: work hour
    • Action: Permit

2. Configuring a policy that internal users cannot visit server

Select Policy > Security Policy, and click Add.

  • Name: rest
  • Source
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: dmz
    • Address: Any
  • Other Information
    • Schedule: work hour
    • Action: Deny

3. Adjusting priority of policies

Select Policy > Security Policy, and select the "work" policy. Select "work" policy, and click Move, and enter "rest" policy's ID, then click Before ID.

Note: The priority of a policy is only determined by its position in the list.

Step 4: Configuring a default route

Select Network > Routing >Destination Route, and select New.

  • Destination: 0.0.0.0
  • Subnet Mask: 0
  • Next Hop: Gateway
  • Gateway: 10.10.1.1  
Step 5: Results  

After configuration, the internal PC can ping the server address successfully during 9:00 to 17:00.

When internal PC pings the server during offwork time, it fails.