F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

101

102

103

104

105

106

107

108

109

110

Ste

Command

Remarks

1. Enter system view. system-view N/A

2. Enter VD system view.

switchto vd vd-name Required for a VD.

3. Create an interzone

instance and enter

interzone instance view.

interzone source souce-zone-name

destination destination-zone-name

By default, no interzone instance exists.

4. Create an interzone

policy rule and its view.

rule [ rule-id ] { deny | permit }

[ content-filter

policy-template-name | logging |

time-range time-range-name ] *

By default, no interzone policy rule

exists in an interzone instance.

NOTE:

The content filtering policy referenced in

an interzone policy from another

security zone to the local security zone

does not take effect.

The member ports of the management zone are management interfaces of the device. HP does not

recommend configuring an interzone policy whose source or destination zone is the management zone.

When you specify a security zone belonging to another VD as the destination zone, you must input the

security name in the format of vd-name-zone-id, for example, test-2, where test is the VD name and 2 is

the security zone name.

For more information about the switchto and interzone commands, see System Management and

Maintenance Command Reference and "Configuring security zones."

322BReferencing objects in an interzone policy rule

CAUTION:

n interzone policy rule does not take effect until you enable it. Before enablin

an interzone policy rule,

make sure the rule has referenced at least one source IP object, one destination IP object, and one service

object.

You can reference the following objects in an interzone policy rule:

• Source IP object—Matches the source IP address of packets.

• Destination IP object—Matches the destination IP address of packets.

• Service object—Matches the service type carried in packets.

• Source MAC object—Matches the source MAC address of packets.

• Destination MAC object—Matches the destination MAC address of packets.

For information about these types of objects, see "Configuring address resources" and "Configuring

service resources".

To reference an object in an interzone policy rule:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system view.

switchto vd vd-name Required for a VD.

3. Enter interzone

instance view.

interzone source souce-zone-name

destination destination-zone-name

N/A