Zone settings

The zone concept defines through which interface an object (host or network) reaches the NextGen UTM.
To achieve this, it is bound to an interface in the network configuration, and in the rule set to a network object.

A new zone is created under → Network →Zone setting by clicking the + Add zone button.

A zone can be created only without, or with an already created interface.

We distinguish between network, interface and VPN zones:

• Network zones distinguish the network segments, each of which is located behind an interface of the firewall.
• Interface zones distinguish the interfaces via which the different network zones are connected.
• VPN zones distinguish different networks that are connected via VPN connections.

The type of a zone is controlled by flags, which are defined when the zone is created. The distinction for the user is simplified by naming conventions (interfaces: prefix "firewall-", VPN: prefix "vpn-").
By linking an object in the rule set to the interface via the zone, it is possible to ensure that a port filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other hand.

The zone concept

Examples:
Internal Network: internal
Internal Interface: firewall-internal
External Interface: firewall-external
Internet: external
Mailserver: internal
Webserver in the 1st DMZ: DMZ1
Remote IPSec subnet: vpn-ipsec
'Why is it necessary to distinguish between these different zones?"
Here is an example of a port filter rule:

This enables connections with the HTTP protocol from the internal network to the Internet. The source is located in the "Internal" network zone, the destination in the "External" network zone. The source and destination are therefore in different zones because they are reached via different interfaces of the firewall.		#	Source	Target	Service	NAT	Action	Active
		4	internal-network	internet	HTTP		Accept	On

If, for example, "www.ttt-point.de" is now entered into the browser, name resolution takes place before this connection is established.
Is the firewall DNS server is on the network, the workstation sends the DNS request to the firewall's internal interface.

This request must be allowed with a port filter rule:

This rule differs from the previous one in one detail: the source and destination of the shared connection are not behind different interfaces. Rather, the interface as destination is in the same network segment as the source and thus actually in the same zone! Internally, rules for connections via the firewall are processed in a different table of the port filter than those that have the firewall itself as their destination. Therefore, interfaces are located in their own interface zone, so that here the source is in the network zone "Internal" and the destination, the interface of the firewall, is in the zone "firewall-internal". From this it can be concluded that the source and destination of a connection that is released in the port filter ruleset, the destination is always located in a different zone than the source- either in a different network zone and thus behind a different interface, or in the interface zone of the interface behind which the network segment of the source is located.		#	Source	Target	Service	NAT	Action	Active
		4	internal-network	internal-interface	DNS		Accept	On