To
Create a Layer 3 or Layer 2 Security ZoneYou can create one of the following types of zones:
Security Zones (Layer 2 or Layer 3) – Physical areas of a network to which you apply security parameters. You can create, modify, and delete security zones. (You cannot delete the Trust and Untrust zones. You cannot delete or modify the Global zone, which is also unique in that it has no interfaces.) A security zone can operate either at Layer 3 or Layer 2 in the OSI model.
Layer 2 zone – For interfaces bound to Layer 2 zones, the IP address must be 0.0.0.0, with a netmask of 0.0.0.0. Layer 2 zone interfaces are in Transparent mode. You set management options on Layer 2 zones.
Layer 3 zone – You must assign an IP address and netmask to an interface bound to a Layer 3 zone. If the Layer 3 zone is in the trust-vr, you can also determine whether the interface is in Route or NAT mode. (All Layer 3 security zones in the untrust-vr are in Route mode.)
To
Create a Layer 3 or Layer 2 Security Zone
Enter the necessary information:
Zone Name: Enter the name of the zone. The name of a Layer 2 security zone must begin with "L2-"; for example “L2-Corp” or “L2-XNet”.
Virtual Router Name: From the drop-down list, select the virtual router in whose routing domain you want to place the security zone.
If you are defining a security zone for networks whose addressing scheme you want to conceal from the external network world, use the trust-vr. If it is a security zone for networks whose addressing scheme is publicly accessible—such as a DMZ zone—use the untrust-vr.
Zone Type: For a Layer 3 security zone, select Layer 3. For a Layer 2 security zone, select Layer 2. (Note that the device automatically adds VLAN tag 1 for all L2 zones.)
Block Intra-Zone Traffic: (For L3 zones) Select this check box if you want to block the flow of traffic between interfaces in the same zone. Clear this check box to permit traffic between interfaces in the same zone. For example, when setting up a hub-and-spoke VPN arrangement in which the device at the hub routes traffic between VPN tunnel interfaces within a single zone, you must clear this check-box for the security zone hosting those interfaces.
If TCP non SYN, send RESET back: (For L3 zones only) Select this check box to send a TCP segment with the RESET flag set to one in response to a TCP segment with any flag other than SYN set, and which does not belong to an existing session. If SYN checking is enabled (set flow tcp-syn-check), the device drops the segment, notifies the initiator to reset the TCP connection, and does not create a new session. (If the device does not send a RESET notice, the initiator repeatedly sends the same TCP segment until the connection attempt times out.) If SYN checking is disabled (unset flow tcp-syn-check), the device passes a TCP segment with a control flag other than SYN set to one and which does not belong to an existing session if a policy permits it.
Clear this check box to drop a TCP segment with any control flag other than SYN set to one, and which does not belong to an existing session, without notifying the initiator with a RESET segment that the attempted connection was not established.
TCP/IP Reassembly for ALG: (For L2 and L3 zones only) Select this check box if you want to enable the reassembly of IP packet fragments and TCP segment fragments on all HTTP and FTP traffic that arrives at any interface bound to the security zone that you are creating or modifying. Reassembling fragments allows the device to better enforce its malicious URL screening and its application layer gateway (ALG) services for HTTP and FTP traffic.
Asymmetric VPN: (For L3 zones only) Select this check box if the device is in an environment in which requests flow through a VPN tunnel in one direction and the corresponding responses flow through a different VPN tunnel in the other direction. The device can match packets to their proper sessions regardless of the tunnels through which they pass. This feature allows free routing of VPN traffic between two or more sites when there are multiple possible paths for VPN traffic.
Management Services:
WebUI: Select this option to enable management through the Web user interface (WebUI).
SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.
Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.
SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.
SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.
Other Services:
Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.
Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.
WebAuth: (For L2 zones only. Appears only when editing a predefined L2 zone or a user-defined L2 zone that you have previously created.) Select this option to enable WebAuth authentication through this interface. Enter the IP address of the WebAuth server performing the authentication.
Shared Zone: (For L3 zones on devices that support virtual systems) Select this check box to enable all virtual systems to be able to share the security zone with the root level. Note that although you can delete a shared zone, you cannot change it back to a non-shared zone unless you first delete all existing virtual systems.
IP Classification: (For L3 zones on devices that support virtual systems) Select this check box to enable virtual system IP classification for subnets or address ranges defined in this zone. This option associates IP addresses with particular virtual systems, as opposed to VLAN tagging.
Click OK to save your configuration.
Tunnel Zones – Logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPSec traffic. You can create, modify, and delete tunnel zones. Tunnel zones also provide great flexibility in combining tunnel interfaces with VPN tunnels. Multiple tunnel interfaces in a tunnel zone can share a single VPN tunnel. Likewise, multiple VPN tunnels bound to a tunnel zone can share a single tunnel interface. (When a tunnel interface is in a security zone, the relationship between a tunnel interface and a VPN tunnel is one-to-one.)
To Create a Tunnel ZoneEnter the necessary information.
Zone Name: Enter the name of the zone. To distinguish the names of tunnel zones from those of security zones, you might want to use a convention such as adding the suffix “-Tun” to the name of all tunnel zones.
Virtual Router Name: From the drop-down list, select the virtual router in whose routing domain you want to place the tunnel zone.
When defining a tunnel zone, the virtual router you choose affects the need to add route table entries in other virtual routers. If you place the tunnel zone in the untrust-vr, then you must enter routes in the trust-vr for traffic from any zone in the trust-vr routing domain to reach a tunnel interface in that tunnel zone. On the other hand, if you put the tunnel zone in the trust-vr, traffic from all other zones in the trust-vr routing domain can reach tunnel interfaces in that tunnel zone without the need to add routes manually.
Zone Type: For a tunnel zone, select Tunnel. In the Out Zone drop-down list, select the security zone to act as the carrier zone for the tunnel zone that you are defining. Note that the carrier zone must use the same virtual router as the tunnel zone.
Note: None of the other options on this page apply to tunnel zones.
Click OK to save your configuration.
Once you create or configure a zone, two new options become available for that zone in the Configure column of the Zones List page: SCREEN and Mal-URL.
To Modify a Security ZoneYou can modify the following fields:
Note: Depending on which zone you are editing, some of these fields might not be available.
Zone Name: (Read-only) Indicates the name of the zone.
Virtual Router Name: From the drop-down list, select the virtual router in whose routing domain you want to place the tunnel zone.
Block Intra-Zone Traffic: (For L3 zones only) Select this check box if you want to block the flow of traffic between interfaces in the same zone. Clear this check box to permit traffic between interfaces in the same zone.
If TCP non SYN, send RESET back: (For L3 zones only) Select this check box to send a TCP segment with the RESET flag set to one in response to a TCP segment with any flag other than SYN set, and which does not belong to an existing session. If SYN checking is enabled (set flow tcp-syn-check), the device drops the segment, notifies the initiator to reset the TCP connection, and does not create a new session. (If the device does not send a RESET notice, the initiator repeatedly sends the same TCP segment until the connection attempt times out.) If SYN checking is disabled (unset flow tcp-syn-check), the device passes a TCP segment with a control flag other than SYN set to one and which does not belong to an existing session if a policy permits it.
Clear this check box to drop a TCP segment with any control flag other than SYN set to one, and which does not belong to an existing session, without notifying the initiator with a RESET segment that the attempted connection was not established.
TCP/IP Reassembly for ALG: (For L2 and L3 zones only) Select this check box if you want to enable the reassembly of IP packet fragments and TCP segment fragments on all HTTP and FTP traffic that arrives at any interface bound to the security zone that you are creating or modifying. Reassembling fragments allows the device to better enforce its malicious URL screening and its application layer gateway (ALG) services for HTTP and FTP traffic.
Asymmetric VPN: (For L3 zones) Select this check box if the device is in an environment in which requests flow through a VPN tunnel in one direction and the corresponding responses flow through a different VPN tunnel in the other direction. The device can match packets to their proper sessions regardless of the tunnels through which they pass. This feature allows free routing of VPN traffic between two or more sites when there are multiple possible paths for VPN traffic.
Shared Zone: (For L3 zones on devices that support virtual systems) Select this check box to enable all virtual systems to be able to share the security zone with the root level. Note that although you can delete a shared zone, you cannot change it back to a non-shared zone unless you first delete all existing virtual systems.
IP Classification: (For L3 zones on devices that support virtual systems) Select this check box to enable virtual system IP classification for subnets or address ranges defined in this zone. This option associates IP addresses with particular virtual systems, as opposed to VLAN tagging.
Management Services: (For L2 zones only)
WebUI: Select this option to enable management through the Web user interface (WebUI).
SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.
Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.
SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.
SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.
NSM: Select this option to allow the interface to receive NetScreen-Security Manager traffic.
Other Services:
Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.
Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.
WebAuth: (For L2 zones only) Select this option to enable WebAuth authentication through all interfaces bound to this zone. You set up the WebAuth server on the VLAN1 interface.
Click OK to save your changes.
To Modify the MGT
ZoneFor the MGT function zone, you can enable or disable the following option:
Block Intra-Zone Traffic: Select this check box if you want to block the flow of traffic between multiple interfaces bound to the MGT zone. Clear this check box to permit traffic between interfaces bound to the MGT zone.
Click OK to save your changes.
To Modify the VLAN
ZoneFor the VLAN function zone, you can modify the following fields:
Zone Name: (Read-only) Indicates the name of the zone.
Virtual Router Name: From the drop-down list, select the virtual router in whose routing domain you want to place the tunnel zone.
Block Intra-Zone Traffic: Select this check box if you want to block the flow of traffic between interfaces in the same zone. Clear this check box to permit traffic between interfaces in the same zone.
If TCP non SYN, send RESET back: (For L3 zones only) Select this check box to send a TCP segment with the RESET flag set to one in response to a TCP segment with any flag other than SYN set, and which does not belong to an existing session. If SYN checking is enabled (set flow tcp-syn-check), the device drops the segment, notifies the initiator to reset the TCP connection, and does not create a new session. (If the device does not send a RESET notice, the initiator repeatedly sends the same TCP segment until the connection attempt times out.) If SYN checking is disabled (unset flow tcp-syn-check), the device passes a TCP segment with a control flag other than SYN set to one and which does not belong to an existing session if a policy permits it.
Clear this check box to drop a TCP segment with any control flag other than SYN set to one, and which does not belong to an existing session, without notifying the initiator with a RESET segment that the attempted connection was not established.
TCP/IP Reassembly for ALG: (For L2 and L3 zones only) Select this check box if you want to enable the reassembly of IP packet fragments and TCP segment fragments on all HTTP and FTP traffic that arrives at any interface bound to the security zone that you are creating or modifying. Reassembling fragments allows the device to better enforce its malicious URL screening and its application layer gateway (ALG) services for HTTP and FTP traffic.
Click OK to save your changes.
To enable various screen options, click SCREEN. For more information, see Screen Options.
To enable the Malicious URL Protection feature, click Mal-URL. For more information, see Malicious URL Protection.