Firewall Policy - Zones

Infotech22 · ‎11-30-2023

Hello forum,

Can somebody give me an example of using Zones if we are going to use Granular policies.
We will restrict the access as much as we can with our traffic.
Example would be:

Clients to DC - Only LDAP, HTTPS etc
Clients to Servers - Only RDP etc

I can't see any difference in managing all of them since we are going to have a lot of policies.
What is different with using Zones over Interfaces. I don't see any advatages in our case.
This is our current without zones:

How it can be more managable if we are using zones if we need to do a granular permissions for everything.
Each VLAN, each service, ports etc

Toshi_Esumi · ‎11-30-2023

As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".

Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.

In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.

Toshi

View solution in original post

adambomb1219 · ‎11-30-2023

If you need granular permissions per VLAN, service, etc then don't use zones. Why do you want to use zones?

Zones are used when you have "similar" interfaces. Like for example, you have three subnets for your data center and you want the same policies to apply to each of the three VLANs equally, you place those three interfaces into a "DC Zone".

Infotech22 · ‎11-30-2023

Hello,

It was recommendation by the external partner, that it will be much easier but as I mention I dont see a benefit if we need granular permissions.
It will be the same. Even from internal to external its different so there is no much same policies to apply to few subnets

Toshi_Esumi · ‎11-30-2023

As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".

Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.

In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.

Toshi

Infotech22 · ‎11-30-2023

Yes, thank you for the reply.

In our case then Zones are not a benefit.
This screenshot was only few policies there are a lot more of them, tottally different so I don't have some similar interfaces etc since for each vlan and inter-vlan connection I will need different services, security profiles etc.