A zone in NGFW is a logical aggregation of network interfaces. NGFW security policies use interface zones instead of interfaces themselves. This provides the needed flexibility to the policies and significantly eases the management of a HA cluster. Zones are the same on all cluster nodes, i.e., this is a global setting for the entire cluster.
It is recommended to aggregate interfaces into a zone based on their intended use, e.g., a LAN interface zone, Internet interface zone, partner-connected interface zone, etc.
NGFW is supplied with the following default zones:
Name |
Description |
---|---|
Management |
Used to connect trusted networks from which NGFW management is allowed. |
Trusted |
Used to connect trusted networks, such as LANs. |
Untrusted |
Used for interfaces connected to untrusted networks, such as the Internet. |
DMZ |
Used for interfaces connected to the DMZ network. |
Cluster |
Used for interfaces that support the operation of a cluster. |
VPN for Site-to-Site |
Used for all Office-to-Office clients that connect to NGFW using a VPN. |
VPN for remote access |
Used for all mobile users who connect to NGFW using a VPN. |
Tunnel inspection zone |
Tunnel inspection zone. All source and destination addresses of packets encapsulated into a tunnel will belong to this zone. |
NGFW administrators can edit the settings for the default zones and create additional zones.
To create a zone, follow these steps:
Name |
Description |
---|---|
Step 1. Create a new zone. |
Click Add and provide a name for the new zone |
Step 2. (Optional) Configure the DoS protection settings for the zone. |
Configure the network flood protection settings for TCP (SYN-flood), UDP, and ICMP protocols in the zone:
The recommended values are 300 requests per second for the alert threshold and 600 requests per second for the drop threshold. It is recommended to enable flood protection on all interfaces except those in the Cluster zone. The UDP drop threshold should be increased if the zone's interfaces carry traffic for services such as VoIP or L2TP VPN. DoS protection exclusions: here you can list the server IP addresses that need to be excluded from the protection. This can be useful, e.g., for the VoIP service as it sends large numbers of UDP packets. Important! NGFW allows more granular DoS protection. For more details, see the DoS Protection section. |
Step 3. (Optional) Configure the access control settings for the zone. |
Specify the NGFW-provided services that will be available to clients connected to this zone. It is recommended to disable all services for zones connected to uncontrolled networks, such as the Internet. The following services exist:
For more on network availability requirements, see the appendix Network Environment Requirements. |
Step 4. (Optional) Configure the IP spoofing protection settings. |
IP spoofing attacks allow a malicious actor to transmit a packet from an external network, such as Untrusted, to an internal one, such as Trusted. To do that, the attacker substitutes the source IP address with an assumed internal network address. In this case, responses to this packet will be sent to the internal address. To protect against this kind of attack, the administrator can specify the source IP address ranges allowed in the selected zone. Network packets with source IP addresses other than those specified will be discarded. Using the Negate checkbox, the administrator can specify the source IP addresses from which packets may not be received on this zone's interfaces. In this case, packets with source IP addresses within those ranges will be rejected. As an example, for the Untrusted zone, you can specify "gray" IP address ranges as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and turn on the Negate option. |
Step 5. (Optional) Set session limits. |
Limiting the number of concurrent connections from a single IP address is a security measure that limits active network connections originating from the same IP. This is done for several reasons:
To limit the number of concurrent connections from a single IP address:
|