Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 1564 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Subinterfaces and zones

Jon M

This is more of a design question than a how to really. 

 

I have a LAN interface on an XG210 that uses subinterfaces all of which are currently in the LAN zone.  I need to create a DMZ for some publically accessible servers and although I have spare interfaces I was wondering - 

1) as you have to create rules to allow traffic between the subinterfaces subnets anyway (even if they are all in the LAN zone) does it make much difference if I just use another subinterface on the LAN interface for this ? 

 

2) If it doesn't make much difference then does it matter whether or not I allocate the subinterface to the DMZ zone or not ie. I still need rules even for LAN zone subinterfaces so what benefit is there by allocating it into the DMZ zone. 

 

Note that the public servers will only be able to talk to a subset of LAN servers but I can lock this down in the rules anyway. 

 

Being new to Sophos I am just trying to understand the benefits of using different zones etc and how others who are more familiar with these firewalls would approach this.  

Thanks 



This thread was automatically locked due to age.
Parents
  • +1

    Hi  

    Using different zones for different infrastructure allows you granular control.

    Putting all your servers in DMZ zone allows you to separate them from LAN zone and you can create specific firewall rules, policies for them and easy to monitor/analyze traffic.

    You required to have LAN to DMZ firewall rule to allow LAN users to connect DMZ zone servers.

  • 0 in reply to Keyur

    Hi Keyur 

     

    Thanks for responding. 

     

    With the main interface and the subinterfaces all being in the LAN zone does it make sense to use another interface for DMZ or can I just create a new subinterface under the LAN interface and allocate it into the DMZ zone. 

     

    Does it make any difference ?

     

    Thanks

Reply
  • 0 in reply to Keyur

    Hi Keyur 

     

    Thanks for responding. 

     

    With the main interface and the subinterfaces all being in the LAN zone does it make sense to use another interface for DMZ or can I just create a new subinterface under the LAN interface and allocate it into the DMZ zone. 

     

    Does it make any difference ?

     

    Thanks

Children
No Data