Security zone is a logical entity. One or more interfaces can be bound to one zone. A zone applied with a policy is known as a security zone, while a zone created for a specific function is known as a functional zone. Zones have the following features:
- An interface should be bound to a zone. A Layer 2 zone will be bound to a VSwitch, while a Layer 3 zone will be bound to a VRouter. Therefore, the VSwitch to which a Layer 2 zone is bound decides which VSwitch the interfaces belong to in that Layer 2 zone, and the VRouter to which a Layer 3 zone is bound decides which VRouter the interfaces belong to in that Layer 3 zone.
- Interfaces in Layer 2 and Layer 3 are working in Layer 2 mode and Layer 3 mode respectively.
- System supports internal zone policies, like trust-to-trust policy rule.
There are 8 pre-defined security zones in StoneOS, which are trust, untrust, dmz, L2-trust, L2-untrust, L2-dmz, vpnhub (VPN functional zone) and ha (HA functional zone). You can also customize security zones. Pre-defined security zones and user-defined security zones have no difference in functions, so you can make your choice freely.
Configuring a Security Zone
To create a security zone, take the following steps：
- Select Network > Zone.
- Click New.
- In the Zone Configuration text box, type the name of the zone into the Zone box.
- Type the descriptions of the zone in the Description text box.
- Specify a type for the security zone. For a Layer 2 zone, select a VSwitch for the zone from the VSwitch drop-down list below; for a Layer-3 zone, select a VRouter from the Virtual Router drop-down list. If TAP is selected, the zone created is a tap zone, which is used in Bypass mode.
- Bind interfaces to the zone. Select an interface from the Binding Interface drop-down list.
- If needed, select the Enable button to enable APP identification for the zone.
- If needed, select the Enable button to set the zone to a WAN zone, assuring the accuracy of the statistic analysis sets that are based on IP data.
- If needed, select the Enable button to enable NetBIOS host query for the zone.
For detailed instructions, see DNS.
- If needed, select Threat Protection tab and configure the parameters for Threat Protection function. For detailed instructions, see Chapter 11 Threat Prevention.
- If needed, select Data Security tab and configure the parameters for Data Security function. For detailed instructions, see Data Security.
- If needed, select End Point Prevention tab and configure the parameters for End Point Prevention function. For detailed instructions, see End Point Protection.
- If needed, select IoT Monitor tab and configure the parameters for IoT Monitor function. For detailed instructions, see IoT Policy.
- Click OK.
- Pre-defined zones cannot be deleted.
- When changing the VSwitch to which a zone belong, make sure there is no binding interface in the zone.
- The interface bound to the Tap zone only monitor the traffic but does not forward the traffic, but when the device enters the Bypass state (such as system restart, abnormal operation, and device power off ), the Bypass interface pair will be physically connected, and then the traffic will be forwarded to each other. If you want to avoid this situation, try to avoid setting the pair of Bypass interfaces as the tap zone.