Lan or Dmz zone type?

Question

When creating a new zone in XG, you have to specify if the new zone is LAN or DMZ. What does this mean? Those are existing zones, by definition the new zone is different to both, and existing rules won't yet apply to it. 
 What actually happens differently if a new zone is given as LAN-like or DMZ-like? 
 Thanks

lferrara · Accepted Answer

MrMuishond , 
 As I said you should think about Zone like grouping objects. You can even add new zone as DMZ zone and use them for LAN or viceversa but for example: 
 in HA configuration, the members will exchange heartbeat only on DMZ zone and not on LAN zone; 
 LAN zone allows you to group up to 6 interfaces while DMZ only 5.

lferrara · Answer

MrMuishond , 
 XG uses zone concept. You can create additional zone and add your physical nics/vlan to them. As you can see you can create Firewall rules from/to zones; allow services using zones under Administration > Device access. 
 Think about you have multiple lan segments (Vlan, network range) and all of them belong to LAN zone and you need to create a firewall rule to deny certain traffic to all of them. You can create a LAN to WAN Firewall rule where the source network objects is any. 
 Also once the rules are applied to zone, you can add/remove NICs without deleting network objects as it occurs on UTM9 for example. 
 Zone are used to simplify the management. It taks time to understand but play a little bit and you will see the power. 
 Regards,

lferrara · Answer

The only zone that XG allows you to create (at the moment) are LAN and DMZ. LAN are used to group internal resources while DMZ should be used to group networks accessible externally. 
 Yes, it is a sort of higher level grouping. 
 Have a look at the online help: 
 http://docs.sophos.com/nsg/sophos-firewall/v16050/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FZoneManage.html%23 
 DMZ is also used to create HA configuration where both nodes have to communicate to.