HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Creating a security zone

When creating a security zone, you must specify a security zone name and a security zone ID that are

respectively unique on the device. To enter the view of an existing security zone, you can specify the

security zone name, or specify both the security zone name and security zone ID. If you specify both the

security zone name and security zone ID, make sure the two arguments identify the same security zone.

A security zone created in system view belongs to the default VD, and a security zone created in VD

system view belongs to the non-default VD.

To create a security zone:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system

view.

switchto vd vd-name

Required if you want to create a security zone for

a non-default VD.

3. Create a security

zone and enter

security zone view.

zone name zone-name [ id

zone-id ]

Optional.

By default, a non-default VD has no security zones,

and the default VD has five security zones:

Management (ID = 0), Local (ID = 1), Trust (ID = 2),

DMZ (ID = 3), and Untrust (ID = 4).

Setting the priority of a security zone

The priority of a security zone indicates the security zone's security level. The greater the priority (the

highest is 100), the higher the security level. Packets that match no interzone policies are allowed to travel

from a higher priority zone (except the management zone) to a lower priority zone, or between two

zones of the same priority, but are forbidden to travel from a lower priority zone to a higher priority zone.

To set the priority of a security zone:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system view.

switchto vd vd-name Required for a security zone of a non-default VD.

3. Enter security zone

view.

zone name zone-name [ id

zone-id ]

N/A

4. Set the priority of the

security zone.

priority priority-value

By default, the priority of a user-defined security

zone is 1, and the priorities of system-predefined

security zones are: 100 for Management, 100 for

Local, 85 for Trust, 50 for DMZ, and 5 for Untrust.

Enabling the share attribute of a security zone

A security zone with its share attribute enabled can be used by other VDs' interzone instances as the

destination security zone. A security zone with its share attribute disabled can only be used by an

interzone instance of its native VD.