HP VPN Firewall Appliances Access Control Configuration Guide
74
Configuring an interzone policy
Overview
An interzone policy is a set of policy rules or IPv4 advanced ACLs to implement security control over
packets between a source and a destination security zone. These two zones define an interzone instance.
The interzone policy matches the first packet of a traffic flow against the rules or ACLs. If a match is found,
the device stops the match process and takes the action defined in the rule over the packet and all
subsequent packets of the flow. For more information about the interzone instance and security zone
configuration, see "Configuring security zones."
You can implement an interzone policy through directly configuring interzone policy rules or referencing
IPv4 advanced ACLs, which are mutually exclusive for the same interzone instance.
Interzone policy rule
When you configure an interzone policy by directly configuring policy rules for identifying traffic, you
must configure at least one rule.
Numbering interzone policy rules
An interzone policy can contain multiple rules. Each rule is uniquely identified by its number. The rule
number can be manually configured or automatically assigned by the system when you create the rule.
When the system automatically assigns a number to a rule, the system assigns the existing maximum rule
number in the interzone policy + 1 to the rule. If the existing maximum rule number in the interzone policy
+ 1 exceeds the upper limit (65534), the system assigns the smallest unused rule number to the rule.
Match order of interzone policy rules
You can also configure interzone policies through configuring interzone policy groups. An IPv4 interzone
policy group references one or multiple IPv4 advanced ACLs. The rich match criteria of ACLs greatly
enhance the functions of the interzone policy.
When an interzone policy references multiple ACLs, packets of the interzone instance are matched
against the ACLs in the order that the ACLs are displayed.
• In the Web interface, the ACL first displayed is first matched. Generally, ACLs are displayed in the
order they are configured, and the first configured ACLs are displayed first.
• At the CLI, ACLs are matched in the order that they are displayed in the output of the display this
command in interzone instance view.
Interzone policy group
To implement interzone policy group configuration, reference one or more existing IPv4 basic and
advanced ACLs in the policy. The rich match criteria of ACLs dramatically enhance the functions of the
interzone policy.
• In the Web interface, the ACL first displayed is first matched. ACLs are displayed in the order they
are added, and the first added ACLs are displayed first.