Setting Multiple Interfaces to a Single Zone

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section descries the functions needed to set Zone-Base Firewall.

What is Zone-Base Firewall?

For the firewall, an area called a "zone" can be created logically.
By setting a policy needed for transfer of communications from one zone to another zone,
the same policy can be applied to a group (e.g., network, terminal group) which belongs to the same zone, without detail design and settings for each interface.
.

Note

After zone creation, the initial setting rejects communications from other zones unless explicitly accepted. In operation-confirmed setting examples below, explicit settings for acceptance/rejection are made.

Creation of a zone and linkage of multiple interfaces

Create two zones to use the Zone-Base Firewall function.
Make settings for letting the interface of the firewall belong to each zone.
Set multiple interfaces which belong to a single zone.
Configuration diagram
Zone Fig2

Setting flow

  • 1.Creating zone z1

  • 2.Linking interface dp0s4 with created z1

  • 3.Linking interface dp0s5 with created z2

  • 4.Creating zone z2

  • 5.Linking interface dp0s6 with created z2

  • 6.Linking interface dp0s7 with created z2

Note

Interface can be allocated to only a single zone.

Note

For the interface linked with a zone to use the Zone-Base Firewall function, direct setting of Firewall policy becomes disabled .

Command to be entered with CLI

set security firewall name all_accept default-action 'accept'
set security zone-policy zone z1 interface 'dp0s4'
set security zone-policy zone z1 interface 'dp0s5'
set security zone-policy zone z1 to z2 firewall 'all_accept'
set security zone-policy zone z2 interface 'dp0s6'
set security zone-policy zone z2 interface 'dp0s7'
set security zone-policy zone z2 to z1 firewall 'all_accept'

Note

To apply (commit) while the set configuration is in use, an inter-zone policy needs to be set. For convenience of the description here, all_accept setting for transfer of all communications is put. The application (commit) is not possible unless the inter-zone policy is applied.

The configuration after completion of appropriate settings is as follows.
security {
       firewall {
               name all_accept {
                       default-action accept
                       }
               }
       }
       zone-policy {
               zone z1 {
                       interface dp0s4
                       interface dp0s5
                       to z2 {
                               firewall all_accept
                       }
               }
               zone z2 {
                       interface dp0s6
                       interface dp0s7
                       to z1 {
                               firewall all_accept
                       }
               }

       }
}