HP VPN Firewall Appliances Access Control Configuration Guide
35
To enable the share attribute of a security zone:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a security zone of a non-default VD.
3. Enter security zone
view.
zone name zone-name [ id
zone-id ]
N/A
4. Enable the share
attribute of the
security zone.
share enable
By default, the share attribute of a security zone
is disabled, and only the native VD can use the
security zone.
Adding interfaces to a security zone
After you add an interface to a security zone, packets entering or leaving the interface will be matched
against the security policies for the security zone and processed accordingly.
To add an interface to a security zone:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name
Required for a security zone of a
non-default VD.
3. Enter security zone
view.
zone name zone-name [ id zone-id ]
N/A
4. Add an interface to
the security zone.
import interface interface-type
interface-number [ vlan vlan-id ]
By default, interface GigabitEthernet 0/0
belongs to the Management zone.
To add a Layer 3 Ethernet interface to a security zone, specify only the interface type and number. You
can add multiple Layer 3 interfaces to a security zone. Make sure the Layer 3 interfaces to be added and
the security zone belong to the same VD. For more information about assigning an interface to a VD, see
System Management and Maintenance Configuration Guide.
To add a Layer 2 Ethernet interface to a security zone, specify both the interface type and number and
the VLANs to which the interface belongs. You can add the same Layer 2 interface with different native
VLANs to the same security zone. Make sure the VLANs and the security zone belong to the same VD.
For more information about assigning a VLAN to a VD, see System Management and Maintenance
Configuration Guide.
Creating an interzone instance
An interzone instance indicates the source zone and destination zone of a data flow to be monitored or
controlled by a security policy, such as an ASPF policy, interzone policy, or session logging policy. After
you apply a security policy to an interzone instance, the first packet of a data flow traveling from the
source zone to the destination zone will be checked and processed according to the security policy. For
more information about ASPF policies, interzone policies, and session logging, see Attack Protection
Configuration Guide and Access Control Configuration Guide.