Add Security Zones for Stacked Security Policies

Learn how to create security zones for stacked security policies.
Security Zones specify enforcement boundaries where traffic is subject to inspection and filtering. Each security zone maps to networks attached to physical interfaces, logical interfaces, or sub-interfaces of a device. These zone-level interfaces serve as a proxy for physical circuits and virtual circuits, such as VLAN, Layer 3 VPN, and Layer 2 VPN circuits.
You can manage and secure every interface in a zone independently.
  • Allow or deny every interface in zone access to other zones within an enterprise network.
  • Segregate interface traffic by blocking all access not explicitly allowed by the security policies of an enterprise.
  • Isolate networks that have private or secure information by restricting access to it from public networks.
An area includes source and destination zones with network IDs for a site and is associated with one or more WAN, LAN, or VPN. Attach a zone to multiple networks, but each network type LAN, WAN, or VPN would be connected to one location. Typically, most organizations create three to four zones to segregate traffic using the model’s guest zone, one or more corporate LAN zones, an outside zone for internet underlay, and a corporate WAN zone for private WAN and VPN over the internet or private WAN.
Policy rules use zones in the form of Source Zones or Destination Zones. In Security Policy rules, specify the source and destination zones to which the rule applies. You must establish one or more source and destination zones for each security rule to configure. The source zone identifies the network from where traffic originates and the destination zone identifies the destination traffic of the network.
Add security zones from
Stacked Policies
  1. Select
    Stacked Policies
    Security Zones
    Add Security Zone
  2. On the
    Add Security Zone
    screen, enter a
    for the security zone and an optional description.
  3. Click
    to create a security zone.
    You must bind a zone to a site or a device interface(s) for policy rules to be effective.

Recommended For You