R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

• If you deploy the WWW server and the FTP server on the external network, security cannot be

ensured; if you deploy them on the internal network, the external illegal users may use the security

holes to attack the internal network. Therefore, you can deploy the servers in the DMZ zone with a

priority between Trust and Untrust, and connect the Ethernet interface GigabitEthernet 0/1 on

Firewall to the servers. In this way, the server in the DMZ zone can access the external network in

the Untrust zone with a lower priority, but when it accesses the internal network in the Trust zone

with a higher priority, its access is controlled by the security rules.

Figure 14 Network diagram for configuring zones

Configuration procedure

By default, the system has created the Trust, DMZ and Untrust zones, and you only need to deploy them.

Step1 Deploy the Trust zone.

# Add interface GigabitEthernet 0/0 to the Trust zone.

• Select Device Management > Zone from the navigation tree.

• Click the icon of the Trust zone.

• Select GigabitEthernet 0/0.

• Other items keep unchanged.

• Click Apply.

Step2 Deploy the DMZ zone.

# Add interface GigabitEthernet 0/1 to the DMZ zone.

• Select Device Management > Zone from the navigation tree.

• Click the icon of the DMZ zone.

• Select GigabitEthernet 0/1.

• Other items keep unchanged.

• Click Apply.

Step3 Deploy the Untrust zone.

# Add interface GigabitEthernet 0/2 to the Untrust zone.