Lan or Dmz zone type?

MrMuishond,

XG uses zone concept. You can create additional zone and add your physical nics/vlan to them. As you can see you can create Firewall rules from/to zones; allow services using zones under Administration > Device access.

Think about you have multiple lan segments (Vlan, network range) and all of them belong to LAN zone and you need to create a firewall rule to deny certain traffic to all of them. You can create a LAN to WAN Firewall rule where the source network objects is any.

Also once the rules are applied to zone, you can add/remove NICs without deleting network objects as it occurs on UTM9 for example.

Zone are used to simplify the management. It taks time to understand but play a little bit and you will see the power.

Regards,

Hi Luk, I think I understand zones - they are just a collection of physical and virtual interfaces etc. What I don't understand at all is the concept of "zone type", is this a higher level grouping of zones?

For example, LAN seems to be both a zone, and a zone type ("CustomZone" could be of type LAN). What does that actually mean for CustomZone?

Thanks

The only zone that XG allows you to create (at the moment) are LAN and DMZ. LAN are used to group internal resources while DMZ should be used to group networks accessible externally.

Yes, it is a sort of higher level grouping.

Have a look at the online help:

http://docs.sophos.com/nsg/sophos-firewall/v16050/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FZoneManage.html%23

DMZ is also used to create HA configuration where both nodes have to communicate to.

Hi Luk, so if it's a higher level grouping (zones can be in zones) and I create CustomZone of type LAN, does that mean my existing LAN rules would automatically apply to interfaces in CustomZone?

In other words, if I have a general LAN to WAN rule, and interface3 is in CustomZone (which itself is of type LAN), then interface3 can access WAN?? Interface3 would effectively be in 2 zones, CustomZone and LAN?

No.

LAN is the type of the zone. You can group networks under the same zone but not zone under another zone.

If you create a zone called "Branch Offices" as LAN zone and you need to allow all the users access to your DMZ server, you will need a firewall rule where the zone is Branch Offices, Source object is any -->> to DMZ zone and the newtork object is your Server placed in DMZ.

No.

LAN is the type of the zone. You can group networks under the same zone but not zone under another zone.

If you create a zone called "Branch Offices" as LAN zone and you need to allow all the users access to your DMZ server, you will need a firewall rule where the zone is Branch Offices, Source object is any -->> to DMZ zone and the newtork object is your Server placed in DMZ.

I'm still not clear on the different between a custom zone of type LAN and of type DMZ.

What would be different if I changed type of a custom zone?

MrMuishond,

As I said you should think about Zone like grouping objects. You can even add new zone as DMZ zone and use them for LAN or viceversa but for example:

in HA configuration, the members will exchange heartbeat only on DMZ zone and not on LAN zone;

LAN zone allows you to group up to 6 interfaces while DMZ only 5.

Thanks, those are some concrete differences. I just found the concept of "zone type" to be vague and unclear. It might be anecdotally obvious which type a new zone should be, but from the documentation it's very vague what actual difference it makes.