Subinterfaces and zones

Question

This is more of a design question than a how to really. 
 
 I have a LAN interface on an XG210 that uses subinterfaces all of which are currently in the LAN zone. I need to create a DMZ for some publically accessible servers and although I have spare interfaces I was wondering - 
 1) as you have to create rules to allow traffic between the subinterfaces subnets anyway (even if they are all in the LAN zone) does it make much difference if I just use another subinterface on the LAN interface for this ? 
 
 2) If it doesn't make much difference then does it matter whether or not I allocate the subinterface to the DMZ zone or not ie. I still need rules even for LAN zone subinterfaces so what benefit is there by allocating it into the DMZ zone. 
 
 Note that the public servers will only be able to talk to a subset of LAN servers but I can lock this down in the rules anyway. 
 
 Being new to Sophos I am just trying to understand the benefits of using different zones etc and how others who are more familiar with these firewalls would approach this. 
 Thanks

Keyur · Accepted Answer

Hi Jon M

Using different zones for different infrastructure allows you granular control.

Putting all your servers in DMZ zone allows you to separate them from LAN zone and you can create specific firewall rules, policies for them and easy to monitor/analyze traffic.

You required to have LAN to DMZ firewall rule to allow LAN users to connect DMZ zone servers.