Interzone policy configuration, Interzone policy overview, Configuring an interzone policy – H3C Technologies H3C SecPath F1000-E User Manual

1

Interzone Policy Configuration

Interzone Policy Overview

Interzone policies, based on ACLs, are used for identification of traffic between zones. An interzone

policy references one ACL for a pair of source zone and destination zone. This ACL contains a group of

ACL rules, each of which permits or denies packets matching the match criteria.
Follow either of the two methods to configure an interzone policy:

•

Method 1: Configure an interzone policy rule directly by referencing an address resource, a service

resource, a time range resource, and a content filtering policy templates, and configuring a filtering
action. Packets are then filtered based on match criteria. The match criteria may include source IP

address, destination IP address, source MAC address, destination MAC address, protocol type,

protocol features (such as TCP/UDP source or destination port, ICMP message type, and ICMP

message code), time range, and content in HTTP/SMTP messages. Rules for a pair of source zone

and destination zone are listed in match order on the Web page. A rule listed earlier has a higher

priority, and is matched earlier. The rules are in the order they are created, and you can manually
adjust the order.

•

Method 2: Configure an interzone policy group by referencing advanced ACLs. Packets are then
filtered based on match criteria. The match criteria may include source IP address, destination IP

address, source port, destination port, and protocol type. ACLs for a pair of source zone and

destination zone are listed in match order on the Web page. An ACL listed earlier has a higher

priority, and is matched earlier. The ACLs are in the order they are selected for the group, and you

can manually adjust the order.

NOTE:
•

In method 1, the number of an ACL referenced in an interzone policy is assigned automatically by the
system. When you create the first rule for two zones, the system will automatically create an ACL for
interzone policy, and assign it an ACL number that is one more than the last assigned ACL number,

starting from 6000. If you remove all rules of the interzone policy, the system will automatically remove

the ACL.

•

For a pair of source zone and destination zone, follow the same method to configure an interzone
policy.

Interzone policies support the ACL acceleration feature, which can speed the matching process of the last

rule of an ACL with a large number of rules, improving the forwarding performance and connection

setup performance of the device.

Configuring an Interzone Policy

Configuration Task List

NOTE:

Before configuring an Interzone policy, be sure to configure the zones. For configuration information
about zones, see

Zone Configuration.