Zone configuration example, Network requirements – H3C Technologies H3C SecPath F1000-E User Manual

Page 38

Item Description

Preference

Set the preference of the specified zone
By default, packets from a high priority zone to a low priority zone are allowed to

pass.

Set whether the specified zone can be referenced by other virtual devices.

Virtual Device

Display the virtual device to which the zone belongs.

Interface

Set the interfaces to be added to the zone.
The interfaces that have been added to a zone are in the selected status, and the
interfaces that can be added but have not been added to a zone are in the

non-selected status.

VLAN

If the interfaces added to the zone are Layer 2 Ethernet interfaces, you must specify
the range of the VLANs to be added to the zone. The VLANs must belong to the

virtual device to which the zone belongs and have not been added to other zones.

Zone configuration example

Network requirements

A company uses SecPath as the network border firewall device to connect the internal network and the

Internet and to provide WWW and FTP services to the external network. You need to perform some basic

configurations for the zones of the firewall to prepare for the configurations of the security policies.
The internal network is a trust network and can access the server and the external network. You can
deploy the internal network in the Trust zone with a higher priority and connect the interface

GigabitEthernet 0/1 on SecPath to the external network.
The external network is an untrusted network, and you need to use strict security rules to control access

from the external network to the internal network and the server. You can deploy the external network in
the Untrust zone with a lower priority and connect the interface GigabitEthernet 0/3 on SecPath to the

external network.
If you deploy the WWW server and the FTP server on the external network, security cannot be ensured;

if you deploy them on the internal network, the external illegal users may use the security holes to attack
the internal network. Therefore, you can deploy the servers in the DMZ zone with a priority between Trust

and Untrust, and connect the Ethernet interface GigabitEthernet 0/2 on SecPath to the servers. In this

way, the server in the DMZ zone can access the external network in the Untrust zone with a lower priority,

but when it accesses the internal network in the Trust zone with a higher priority, its access is controlled

by the security rules.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS