beautypg.com

Zone configuration example, Network requirements – H3C Technologies H3C SecPath F1000-E User Manual

Page 129

background image

5

Item Description

Preference

Sets the preference of the specified zone

By default, packets from a high priority zone to a low priority zone are allowed
to pass.

Share

Sets whether the specified zone can be referenced by other virtual devices.

Virtual Device

Displays the virtual device to which the zone belongs.

Interface

Sets the interfaces to be added to the zone.

The interfaces that have been added to a zone are in the selected status, and the
interfaces that can be added but have not been added to a zone are in the
non-selected status.

Interface

VLAN

If the interfaces added to the zone are Layer 2 Ethernet interfaces, you must
specify the range of the VLANs to be added to the zone. The VLANs must belong
to the virtual device to which the zone belongs and have not been added to
other zones.

Return to

Zone configuration task list

.

Zone Configuration Example

Network requirements

A company uses Device as the network border firewall device to connect the internal network and
the Internet and to provide WWW and FTP services to the external network. You need to perform
some basic configurations for the zones of the firewall to prepare for the configurations of the
security policies.

The internal network is a trust network and can access the server and the external network. You
can deploy the internal network in the Trust zone with a higher priority and connect the interface
GigabitEthernet 0/0 on Device to the external network.

The external network is an untrusted network, and you need to use strict security rules to control
access from the external network to the internal network and the server. You can deploy the
external network in the Untrust zone with a lower priority and connect the interface
GigabitEthernet 0/2 on Device to the external network.

If you deploy the WWW server and the FTP server on the external network, security cannot be
ensured; if you deploy them on the internal network, the external illegal users may use the security
holes to attack the internal network. Therefore, you can deploy the servers in the DMZ zone with a
priority between Trust and Untrust, and connect the Ethernet interface GigabitEthernet 0/1 on
Device to the servers. In this way, the server in the DMZ zone can access the external network in
the Untrust zone with a lower priority, but when it accesses the internal network in the Trust
zone with a higher priority, its access is controlled by the security rules.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: