Building Blocks of Security Zones
To define a security zone, click
Addand specify the following information.
Security Zone Settings
Enter a zone name (up to 31 characters). This name appears in the list of zones when defining security policies and configuring interfaces. The name is case-sensitive and must be unique within the virtual router. Use only letters, numbers, spaces, hyphens, periods, and underscores.
This field is present only if the firewall supports multiple virtual systems (vsys) and that capability is enabled. Select the vsys to which this zone applies.
Select a zone type (
Tunnel) to view all the
Interfacesof that type that have not been assigned to a zone. The Layer 2 and Layer 3 zone types list all Ethernet interfaces and subinterfaces of that type.
Addthe interfaces that you want to assign to the zone.
The External zone is used to control traffic between multiple virtual systems on a single firewall. It displays only on firewalls that support multiple virtual systems and only if the
Multi Virtual System Capabilityis enabled. For information on external zones see, Inter-VSYS Traffic That Remains Within the Firewall.
An interface can belong to only one zone in one virtual system.
Add one or more interfaces to this zone.
Zone Protection Profiles
Enable Packet Buffer Protection
If you have configured Packet Buffer Protection, select to apply the packet buffer protection settings, configured under Device > Setup > Session, to this zone (disabled by default). Packet buffer protection is applied to the ingress zone only.
Select a Log Forwarding profile for forwarding zone protection logs to an external system.
If you have a Log Forwarding profile named default, that profile will be automatically selected for this drop-down when defining a new security zone. You can override this default setting at any time by continuing to select a different Log Forwarding profile when setting up a new security zone. To define or add a new Log Forwarding profile (and to name a profile default so that this drop-down is populated automatically), click
New(refer to Objects > Log Forwarding).
If you are configuring the zone in a Panorama template, the
Log Settingdrop-down lists only shared Log Forwarding profiles; to specify a non-shared profile, you must type its name.
Enable User Identification
If you configured User-ID™ to perform IP address-to-username mapping (discovery), select to apply the mapping information to traffic in this zone. If you disable this option, firewall logs, reports, and policies will exclude user mapping information for traffic within the zone.
By default, if you select this option, the firewall applies user mapping information to the traffic of all subnetworks in the zone. To limit the information to specific subnetworks within the zone, use the
Enable User-ID on trusted zones only. If you enable User-ID and client probing on an external untrusted zone (such as the internet), probes could be sent outside your protected network, resulting in an information disclosure of the User-ID agent service account name, domain name, and encrypted password hash, which could allow an attacker to gain unauthorized access to protected resources.
User-ID performs discovery for the zone only if it falls within the network range that User-ID monitors. If the zone is outside that range, the firewall does not apply user mapping information to the zone traffic even if you select
Enable User Identification. For details, see Include or Exclude Subnetworks for User Mapping.
User Identification ACL Include List
By default, if you do not specify subnetworks in this list, the firewall applies the user mapping information it discovers to all the traffic of this zone for use in logs, reports, and policies.
To limit the application of user mapping information to specific subnetworks within the zone, then for each subnetwork click
Addand select an address (or address group) object or type the IP address range (for example, 10.1.1.1/24). The exclusion of all other subnetworks is implicit: you do not need to add them to the
Add entries to the
Exclude Listonly to exclude user mapping information for a subset of the subnetworks in the
Include List. For example, if you add 10.0.0.0/8 to the
Include Listand add 10.2.50.0/22 to the
Exclude List, the firewall includes user mapping information for all the zone subnetworks of 10.0.0.0/8 except 10.2.50.0/22, and excludes information for all zone subnetworks outside of 10.0.0.0/8.
User Identification ACL Exclude List
To exclude user mapping information for a subset of the subnetworks in the
Addan address (or address group) object or type the IP address range for each subnetwork to exclude.
If you add entries to the
Exclude Listbut not the
Include List, the firewall excludes user mapping information for all subnetworks within the zone, not just the subnetworks you added.