HP VPN Firewall Appliances Access Control Configuration Guide
92
Creating an interzone policy rule
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a VD.
3. Create an interzone
instance and enter
interzone instance view.
interzone source source-zone-name
destination destination-zone-name
By default, no interzone instance exists.
4. Create an interzone
policy rule and its view.
rule [ rule-id ] { deny | permit }
[ content-filter
policy-template-name | logging |
time-range time-range-name ] *
By default, no interzone policy rule
exists in an interzone instance.
NOTE:
The content filtering policy referenced
in an interzone policy from another
security zone to the local security zone
does not take effect.
The member ports of the management zone are management interfaces of the device. HP recommends
not configuring an interzone policy whose source or destination zone is the management zone.
When you specify a security zone belonging to another VD as the destination zone, you must input the
security name in the format of vd-name-zone-id, for example, test-2, where test is the VD name and 2 is
the security zone name.
For more information about the switchto and interzone commands, see System Management and
Maintenance Command Reference and "Configuring security zones."
Referencing objects in an interzone policy rule
CAUTION:
A
n interzone policy rule does not take effect until you enable it. Before enablin
g
an interzone policy rule,
make sure the rule has referenced at least one source IP object, one destination IP object, and one service
object.
You can reference the following objects in an interzone policy rule:
• Source IP object—Matches the source IP address of packets.
• Destination IP object—Matches the destination IP address of packets.
• Service object—Matches the service type carried in packets.
• Source MAC object—Matches the source MAC address of packets.
• Destination MAC object—Matches the destination MAC address of packets.
For information about these types of objects, see "Configuring address resources" and "Configuring
service resources".
To reference an object in an interzone policy rule:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a VD.
3. Enter interzone
instance view.
interzone source source-zone-name
destination destination-zone-name
N/A