Interzone policy configuration, Interzone policy overview – H3C Technologies H3C SecPath F1000-E User Manual

63

Interzone policy configuration

NOTE:

The interzone policy configuration is available only in the web interface.

Interzone policy overview

Interzone policies, based on ACLs, are used for identification of traffic between zones. An interzone

policy references one ACL for a pair of source zone and destination zone. This ACL contains a group of

ACL rules, each of which permits or denies packets matching the match criteria.
Follow either of the following methods to configure an interzone policy:

•

Method 1: Configure an interzone policy rule directly by referencing an address resource, a service
resource, a time range resource, and a content filtering policy template, and configuring a filtering

action. Packets are then filtered based on match criteria. The match criteria may include source IP

address, destination IP address, source MAC address, destination MAC address, protocol type,

protocol features (such as TCP/UDP source or destination port, ICMP message type, and ICMP
message code), time range, and content in HTTP/SMTP messages. Rules for a pair of source zone

and destination zone are listed in match order on the web page. A rule listed earlier has a higher

priority, and is matched earlier. The rules are in the order they are created, and you can manually

adjust the order.

•

Method 2: Configure an interzone policy group by referencing advanced ACLs. Packets are then

filtered based on match criteria. The match criteria may include source IP address, destination IP
address, source port, destination port, and protocol type. ACLs for a pair of source zone and

destination zone are listed in match order on the web page. An ACL listed earlier has a higher

priority, and is matched earlier. The ACLs are in the order they are selected for the group, and you

can manually adjust the order.

NOTE:
•

In method 1, the number of an ACL referenced in an interzone policy is assigned automatically by the
system. When you create the first rule for two zones, the system will automatically create an ACL for

interzone policy, and assign it an ACL number that is one more than the last assigned ACL number,
starting from 6000. If you remove all rules of the interzone policy, the system will automatically remove

the ACL.

•

For a pair of source zone and destination zone, follow the same method to configure an interzone
policy.

Interzone policies support the ACL acceleration feature, improving the forwarding performance and

connection setup performance of the device. ACL acceleration speeds up ACL lookup, and the

acceleration effect increases with the number of ACL rules.