HP VPN Firewall Appliances Access Control Configuration Guide
36
The destination zone for an interzone instance must belong to the same VD as the source zone, or have
its share attribute enabled. To specify a security zone that belongs to a different VD than the source zone
as the destination zone, enter the zone name in the format vd-name-zone-id. For example, to specify VD
test's zone 2 as the destination zone, enter test-2.
To create an interzone instance:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a security zone of a non-default VD.
3. Create an interzone
instance and enter
interzone instance
view.
interzone source
source-zone-name
destination
destination-zone-name
By default, no interzone instance exists.
Security zone configuration example
Network requirements
As shown in Figure 25, a company deploys a firewall to connect its internal network to the Internet, and
needs to provide WWW service and FTP service for external users.
Configure the firewall so that:
• Internal users can access the WWW and FTP servers and the Internet.
• External users can only access the servers.
Figure 25 Network diagram
Configuration considerations
Three security zones are needed: one for the internal users, one for the servers, and one for the external
users, in the order of priority (from high to low). The default zones Trust, DMZ, and Untrust can answer
the requirements for security zones.
To achieve the goal, configure the firewall as follows:
• Add the interface connected to the internal network (GigabitEthernet 0/0) to security zone Trust.
• Add the interface connected to the Internet (GigabitEthernet 0/2) to security zone Untrust.