Interzone policy configuration, Interzone policy overview – H3C Technologies H3C SecPath F1000-E User Manual
Page 73
63
Interzone policy configuration
NOTE:
The interzone policy configuration is available only in the web interface.
Interzone policy overview
Interzone policies, based on ACLs, are used for identification of traffic between zones. An interzone
policy references one ACL for a pair of source zone and destination zone. This ACL contains a group of
ACL rules, each of which permits or denies packets matching the match criteria.
Follow either of the following methods to configure an interzone policy:
•
Method 1: Configure an interzone policy rule directly by referencing an address resource, a service
resource, a time range resource, and a content filtering policy template, and configuring a filtering
action. Packets are then filtered based on match criteria. The match criteria may include source IP
address, destination IP address, source MAC address, destination MAC address, protocol type,
protocol features (such as TCP/UDP source or destination port, ICMP message type, and ICMP
message code), time range, and content in HTTP/SMTP messages. Rules for a pair of source zone
and destination zone are listed in match order on the web page. A rule listed earlier has a higher
priority, and is matched earlier. The rules are in the order they are created, and you can manually
adjust the order.
•
Method 2: Configure an interzone policy group by referencing advanced ACLs. Packets are then
filtered based on match criteria. The match criteria may include source IP address, destination IP
address, source port, destination port, and protocol type. ACLs for a pair of source zone and
destination zone are listed in match order on the web page. An ACL listed earlier has a higher
priority, and is matched earlier. The ACLs are in the order they are selected for the group, and you
can manually adjust the order.
NOTE:
•
In method 1, the number of an ACL referenced in an interzone policy is assigned automatically by the
system. When you create the first rule for two zones, the system will automatically create an ACL for
interzone policy, and assign it an ACL number that is one more than the last assigned ACL number,
starting from 6000. If you remove all rules of the interzone policy, the system will automatically remove
the ACL.
•
For a pair of source zone and destination zone, follow the same method to configure an interzone
policy.
Interzone policies support the ACL acceleration feature, improving the forwarding performance and
connection setup performance of the device. ACL acceleration speeds up ACL lookup, and the
acceleration effect increases with the number of ACL rules.