Jump to:navigation, search
Wiki





























De.png
En.png
Fr.png






Zone settings on the UTM
Last adaptation to the version: 12.6.0
New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

12.4 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
Network Zone Configuration


Introduction

The zone concept defines through which interface an object (host or network) reaches the NextGen UTM.
To achieve this, it is bound to an interface in the network configuration, and in the rule set to a network object.

The zone concept

Create a new zone

Zone hinzufügen UTMuser@firewall.name.fqdnNetzwerkZone Configuration UTM v12.6 Zoneneinstellungen Zone hinzufügen-en.pngZone hinzufügen

A new zone is created under Network Zone Configuration by clicking the Add zone button.


A zone can be created only without, or with an already created interface.



The zones

Zonenkonzept.png
The zone concept

We distinguish between network, interface and VPN zones:

  • Network zones distinguish the network segments, each of which is located behind an interface of the firewall.
  • Interface zones distinguish the interfaces via which the different network zones are connected.
  • VPN zones distinguish different networks that are connected via VPN connections.


The type of a zone is controlled by flags, which are defined when the zone is created. The distinction for the user is simplified by naming conventions (interfaces: prefix "firewall-", VPN: prefix "vpn-").
By linking an object in the rule set to the interface via the zone, it is possible to ensure that a port filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other hand.
Examples:
Internal Network: internal
Internal Interface: firewall-internal
External Interface: firewall-external
Internet: external
Mailserver: internal
Webserver in the 1st DMZ: DMZ1
Remote IPSec subnet: vpn-ipsec


'Why is it necessary to distinguish between these different zones?"
Here is an example of a port filter rule:

This enables connections with the HTTP protocol from the internal network to the Internet. The source is located in the "Internal" network zone, the destination in the "External" network zone.

The source and destination are therefore in different zones because they are reached via different interfaces of the firewall.

# Source Target Service NAT Action Active
Dragndrop.png 4 Vpn-network.svg internal-network World.svg internet Tcp.svg HTTP Accept On
If, for example, "www.ttt-point.de" is now entered into the browser, name resolution takes place before this connection is established.
Is the firewall DNS server is on the network, the workstation sends the DNS request to the firewall's internal interface.

This request must be allowed with a port filter rule:

This rule differs from the previous one in one detail: the source and destination of the shared connection are not behind different interfaces. Rather, the interface as destination is in the same network segment as the source and thus actually in the same zone! Internally, rules for connections via the firewall are processed in a different table of the port filter than those that have the firewall itself as their destination. Therefore, interfaces are located in their own interface zone, so that here the source is in the network zone "Internal" and the destination, the interface of the firewall, is in the zone "firewall-internal".

From this it can be concluded that the source and destination of a connection that is released in the port filter ruleset, the destination is always located in a different zone than the source- either in a different network zone and thus behind a different interface, or in the interface zone of the interface behind which the network segment of the source is located.

# Source Target Service NAT Action Active
Dragndrop.png 4 Vpn-network.svg internal-network Interface.svg internal-interface Service-group.svg DNS Accept On



Flags

Flag Meaning Zone Configuration UTMuser@firewall.name.fqdnNetzwerk UTM v12.6 Zoneneinstellungen Zoneneinstellungen-en.pngZone settings
No flag It is the zone of a network.
Interface This is the zone to a UTM interface. It is usually used to make the services offered by the UTM (name server, proxy) accessible.
Policy_IPSec This is the zone of an IPSec VPN network.
PPP_VPN This is the zone where PPTP or L2TP VPN clients are located.

IPv6

  • As of version 12.4, extra zones are no longer needed for IPv6. These are obsolete, since the type of IP determines whether the rule must be written following iptables or ip6tables.

    For new installations, IPv6 zones are no longer added. Existing zones also remain when upgrading firmware or importing a configuration.