F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

136BEnabling the share attribute of a security zone

A security zone with its share attribute enabled can be used by other VDs' interzone instances as the

destination security zone. A security zone with its share attribute disabled can only be used by an

interzone instance of its native VD.

To enable the share attribute of a security zone:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system view.

switchto vd vd-name Required for a security zone of a non-default VD.

3. Enter security zone

view.

zone name zone-name [ id

zone-id ]

N/A

4. Enable the share

attribute of the

security zone.

share enable

By default, the share attribute of a security zone

is disabled, and only the native VD can use the

security zone.

137BAdding interfaces to a security zone

After you add an interface to a security zone, packets entering or leaving the interface will be matched

against the security policies for the security zone and processed accordingly.

To add an interface to a security zone:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system view. switchto vd vd-name

Required for a security zone of a

non-default VD.

3. Enter security zone

view.

zone name zone-name [ id zone-id ]

N/A

4. Add an interface to

the security zone.

import interface interface-type

interface-number [ vlan vlan-id ]

By default, interface GigabitEthernet 0/0

belongs to the Management zone.

To add a Layer 3 Ethernet interface to a security zone, specify only the interface type and number. You

can add multiple Layer 3 interfaces to a security zone. Make sure the Layer 3 interfaces to be added and

the security zone belong to the same VD. For more information about assigning an interface to a VD, see

System Management and Maintenance Configuration Guide.

To add a Layer 2 Ethernet interface to a security zone, specify both the interface type and number and

the VLANs to which the interface belongs. You can add the same Layer 2 interface with different native

VLANs to the same security zone. Make sure the VLANs and the security zone belong to the same VD.

For more information about assigning a VLAN to a VD, see System Management and Maintenance

Configuration Guide.

138BCreating an interzone instance

An interzone instance indicates the source zone and destination zone of a data flow to be monitored or

controlled by a security policy, such as an ASPF policy, interzone policy, or session logging policy. After

you apply a security policy to an interzone instance, the first packet of a data flow traveling from the