6.2.1. Managing zones with MC

By default, MC defines a zone called internet on every site. The internetcontains the the 0.0.0.0 and the ::0 networks with the 0 subnet mask. This zone means any network: every IP address not belonging to another zone belongs to the internet zone.

Note
PNS uses the CIDR notation for subnetting.

Figure 6.1. Zones

The internet zone is typically used in firewall rules where one side of the connection cannot be defined more exactly.

Example 6.1. Using the Internet zone
The Internet zone identifies all external networks. To allow the internal users to visit all web pages, simply set the destination zone of the HTTP service to `Internet`. For details on creating services, see Section 6.4, Application-level Gateway services.

Zones are managed on the Site component in MC. The left side of the main workspace displays the zones defined on the site and their descriptions. IP networks that belong to the selected zone are displayed on the right side of the workspace.

Note
The Application-level Gateway MC component has a shortcut in its icon bar to the zone editor. The zone hierarchy applies to all firewalls of the site, so carefully consider every modification and its possible side-effect.

Use the control buttons to create, delete, or edit the zone definitions and the IP networks. Use the arrow icons to organize the zones into a hierarchy (see Section 6.2.3, Zone hierarchies for details).

Example 6.2. Subnetting

Example 6.2. Subnetting
Suppose you have the following IP address range to put into a zone: `1.2.50.0` – `1.2.70.255`. You can either define 21 IP subnets with `/24` mask or you can define six subnets in the following manner: `1.2.50.0/23`, `1.2.52.0/22`, `1.2.56.0/21`, `1.2.64.0/22`, `1.2.68.0/23`, `1.2.70.0/24`. Whether you have a switched/routed network or you actually use `/24` subnets is irrelevant from the zone's (PNS's) point of view. As long as it encounters an IP address from the range `1.2.50.0` – `1.2.70.255`, it will consider it a member of the given zone. Furthermore, if you define Zone A with the IP network `10.0.0.0/8` and Zone B consisting of the network `10.0.1.0/24` and the machine, Computer C with the IP address of `10.0.1.100/32`, from an IP addressing point of view, belongs to both subnets, but the PNS rule applied in this and similar cases is that the machine is always considered to belong to the network (and thus the zone) more specific in CIDR terms. In this example it is Zone B.

Suppose you have the following IP address range to put into a zone: 1.2.50.0 – 1.2.70.255. You can either define 21 IP subnets with /24 mask or you can define six subnets in the following manner: 1.2.50.0/23, 1.2.52.0/22, 1.2.56.0/21, 1.2.64.0/22, 1.2.68.0/23, 1.2.70.0/24. Whether you have a switched/routed network or you actually use /24 subnets is irrelevant from the zone's (PNS's) point of view. As long as it encounters an IP address from the range 1.2.50.0 – 1.2.70.255, it will consider it a member of the given zone.

Furthermore, if you define Zone A with the IP network 10.0.0.0/8 and Zone B consisting of the network 10.0.1.0/24 and the machine, Computer C with the IP address of 10.0.1.100/32, from an IP addressing point of view, belongs to both subnets, but the PNS rule applied in this and similar cases is that the machine is always considered to belong to the network (and thus the zone) more specific in CIDR terms. In this example it is Zone B.

Previous	Up	Next
	Home

Proxedo Network Security Suite 1.0 Administrator Guide

6.2. Zones

6.2.1. Managing zones with MC