How to create a custom zone

03/26/2020 162 18856

DESCRIPTION:

A zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme. Zone-based security is a powerful and flexible method of managing both internal and external network segments, allowing the administrator to separate and protect critical internal network resources from unapproved access or attack.

A network security zone is simply a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. Security zones provide an additional, more flexible, layer of security for the firewall. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface.

SonicOS Enhanced zones allows you to apply security policies to the inside of the network. This allows the administrator to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources such as payroll servers or engineering code servers can be strictly controlled.

Zones also allow full exposure of the NAT table to allow the administrator control over the traffic across the interfaces by controlling the source and destination addresses as traffic crosses from one zone to another. This means that NAT can be applied internally, or across VPN tunnels, which is a feature that users have long requested. SonicWALL security appliances can also drive VPN traffic through the NAT policy and zone policy, since VPNs are now logically grouped into their own VPN zone.

Each zone has a security type, which defines the level of trust given to that zone. There are five security types:

• Trusted : Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
• Encrypted : Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
• Wireless : Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWALL SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
• Public : A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
• Untrusted : The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.

RESOLUTION:

Following steps will guide you in creating a custom network zone on SonicWall UTM appliance:

1. Navigate to Networks | Zones | Add
   
   
2. Select the security type for the zone appropriately.
   
    
3. Apply security services on the custom zones. You can enable SonicWall Security Services for traffic across zones. For example, you can enable SonicWall Intrusion Prevention Service for incoming and outgoing traffic on the WLAN zone to add more security for internal network traffic. You can enable the following SonicWall Security Services on zones:
    
   
   • Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
   • Enforce Client Anti-Virus Service - Enforces anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Create Group VPN - Creates a GroupVPN policy for the zone, which is displayed in the VPN Policies table on the VPN | Settings page. You can customize the GroupVPN policy on the VPN | Settings page. If you uncheck Create Group VPN, the GroupVPN policy is removed from the VPN | Settings page.
     
     
4. Applying the custom zone on an interface, physical interfaces must be assigned to a zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security zones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no interface, traffic cannot access the zone or exit the zone. Navigate to Network | Interface | Edit Icon:
   
   
   
   

Deleting a Zone:

You can delete a custom zone by clicking the delete icon in the Configure column in Network | Zones

NOTE: Pre-Defined zones can't be deleted.

 

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Following steps will guide you in creating a custom network zone on SonicWall UTM appliance:

1. Navigate to Manage > System Setup > Networks > Zones > Add
   
2. Select the security type for the zone appropriately.
   
    
3. Apply security services on the custom zones. You can enable SonicWall Security Services for traffic across zones. For example, you can enable SonicWall Intrusion Prevention Service for incoming and outgoing traffic on the WLAN zone to add more security for internal network traffic. You can enable the following SonicWall Security Services on zones:
    
   
   • Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
   • Enforce Client Anti-Virus Service - Enforces anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
   • Create Group VPN - Creates a GroupVPN policy for the zone, which is displayed in the VPN Policies table on the VPN | Settings page. You can customize the GroupVPN policy on the VPN | Settings page. If you uncheck Create Group VPN, the GroupVPN policy is removed from the VPN | Settings page.
     
4. Applying the custom zone on an interface, physical interfaces must be assigned to a zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security zones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no interface, traffic cannot access the zone or exit the zone. Navigate to Manage > System Setup > Network > Interface > Configure:
   
   
   

Deleting a Zone:

You can delete a custom zone by clicking the delete icon in the Configure column in Network > Zones

NOTE: Pre-Defined zones can't be deleted.