Security Zone Setting |
Description |
Name
|
Enter a zone name (up to 31 characters). This name appears in the list of zones when defining security policies and configuring interfaces. The name is case-sensitive and must be unique within the virtual router. Use only letters, numbers, spaces, hyphens, periods, and underscores.
|
Location
|
This field is present only if the firewall supports multiple virtual systems (vsys) and that capability is enabled. Select the vsys to which this zone applies.
|
Type
|
Select a zone type (
Tap,
Virtual Wire,
Layer2,
Layer3, or
External) to view all the
Interfaces
of that type that have not been assigned to a zone. The Layer 2 and Layer 3 zone types list all Ethernet interfaces and subinterfaces of that type.
Add
the interfaces that you want to assign to the zone.
The External zone is used to control traffic between multiple virtual systems on a single firewall. It displays only on firewalls that support multiple virtual systems and only if the
Multi Virtual System Capability
is enabled. For information on external zones, see
Inter-VSYS Traffic that Remains Within the Firewall
.
An interface can belong to only one zone in one virtual system.
|
Service Profile Zone for NSX
|
(
VM-Series NSX edition firewalls only
) On Panorama, select this option to create one or more zones within a template that is used to deploy the VM-Series NSX edition firewall.
When you select this option, Panorama automatically generates a pair of subinterfaces configured in a virtual wire and then pushes the pair to the VM-Series firewalls included in the template. On a Panorama commit, this zone becomes available as a service profile on the NSX Manager. You can use the service profile on the NSX Manager user interface to redirect traffic to the VM-Series firewalls that are configured with this zone.
Before you select
Service Profile Zone for NSX, make sure you select the correct template in the Template drop-down. The template name must match the name you specified in the VMware Service Definitions (
Panorama > VMware Service Manager).
The virtual wire subinterfaces that are automatically created are not displayed under
Network > Interfaces
on the VM-Series firewall or on Panorama.
You cannot manually select or assign the interfaces to the
Service Profile Zone for NSX. Panorama creates a pair of subinterfaces that are configured in a virtual wire and assigns them to the zone.
To enforce policy, you must use the same zone name as the source zone and the destination zone in a security policy prerule on Panorama. For more information, see
Set Up the VM-Series NSX Edition Firewall
.
|
Interfaces
|
Add one or more interfaces to this zone.
|
Zone Protection Profiles
|
Select a profile that specifies how the security gateway responds to attacks from this zone. To create a new profile, refer to
Network > Network Profiles > Zone Protection.
|
Log Setting
|
Select a Log Forwarding profile for forwarding zone protection logs to an external system.
If you have a Log Forwarding profile named default, that profile will be automatically selected for this drop-down when defining a new security zone. You can override this default setting at any time by continuing to select a different Log Forwarding profile when setting up a new security zone. To define or add a new Log Forwarding profile (and to name a profile default so that this drop-down is populated automatically), click
New
(refer to
Objects > Log Forwarding).
If you are configuring the zone in a Panorama template, the
Log Setting
drop-down lists only shared Log Forwarding profiles; to specify a non-shared profile, you must type its name.
|
Enable User Identification
|
If you configured User-ID™ to perform IP address-to-username mapping (discovery), select this option to apply the mapping information to traffic in this zone. If you disable this option, firewall logs, reports, and policies will exclude user mapping information for traffic within the zone.
By default, if you select this option, the firewall applies user mapping information to the traffic of all subnetworks in the zone. To limit the information to specific subnetworks within the zone, use the
Include List
and
Exclude List.
User-ID performs discovery for the zone only if it falls within the network range that User-ID monitors. If the zone is outside that range, the firewall does not apply user mapping information to the zone traffic even if you select
Enable User Identification. For details, see
Define Subnetworks to Include/Exclude for User Mapping.
Enable User-ID on trusted zones only. If you enable User-ID and client probing on an external untrusted zone (such as the internet), probes could be sent outside your protected network, resulting in an information disclosure of the User-ID agent service account name, domain name, and encrypted password hash, which could allow an attacker to gain unauthorized access to protected resources.
|
User Identification ACL Include List
|
By default, if you do not specify subnetworks in this list, the firewall applies the user mapping information it discovers to all the traffic of this zone for use in logs, reports, and policies.
To limit the application of user mapping information to specific subnetworks within the zone, then for each subnetwork click
Add
and select an address (or address group) object or type the IP address range (for example, 10.1.1.1/24). The exclusion of all other subnetworks is implicit—you do not need to add them to the
Exclude List.
Add entries to the
Exclude List
only to exclude user mapping information for a subset of the subnetworks in the
Include List. For example, if you add 10.0.0.0/8 to the
Include List
and add 10.2.50.0/22 to the
Exclude List, the firewall includes user mapping information for all the zone subnetworks of 10.0.0.0/8 except 10.2.50.0/22, and excludes information for all zone subnetworks outside of 10.0.0.0/8. Note that you can only include subnetworks that fall within the network range that User-ID monitors. For details, see
Define Subnetworks to Include/Exclude for User Mapping.
|
User Identification ACL Exclude List
|
To exclude user mapping information for a subset of the subnetworks in the
Include List, for each subnetwork to exclude, click
Add
and select an address (or address group) object or type the IP address range.
If you add entries to the
Exclude List
but not the
Include List, the firewall excludes user mapping information for all subnetworks within the zone, not just the subnetworks you added.
|