Introduction to Security Zone

Zone is a logical entity. One or more interfaces can be bound to one zone. A zone with policy applied is known as a security zone, while a zone created for a specific function is known as a functional zone. Zones have the following features:

• An interface should be bound to a zone. A Layer 2 zone will be bound to a VSwitch, while a Layer 3 zone will be bound to a VRouter. Therefore, the VSwitch to which a Layer 2 zone is bound decides which VSwitch the interfaces belong to in that Layer 2 zone, and the VRouter to which a Layer 3 zone is bound decides which VRouter the interfaces belong to in that Layer 3 zone.
• Interfaces in Layer 2 and Layer 3 are working in Layer 2 mode and Layer 3 mode respectively.
• System supports internal zone policies, like trust-to-trust policy rule。

There are 8 pre-defined security zones in system, which are trust, untrust, dmz, L2-trust, L2-untrust, L2-dmz, vpnhub (VPN functional zone) and ha (HA functional zone). You can also customize security zones. Actually pre-defined security zones and user-defined security zones make no difference in functions, and you can make your choice freely.