Create a security zone and add interfaces into the security zone on an AR router


A router considers that data flows occurring within a security zone are trustful and therefore no security policy needs to be implemented. If data flows occur between different security zones, the security check function of the firewall is triggered, and corresponding policy is implemented.
To configure firewall services, create relevant security zones and specify priorities for the security zones so as to determine deployment of security services according to the priorities between different security zones. The specified priorities cannot be modified; otherwise, other configuration cannot be performed. Different security zones have different priorities. The larger the value, the higher the priority of a zone. After a security zone is created, interfaces must be added to the zone to activate the firewall.
The specific configuration procedure is as follows:
1. Run the system-view command to access the system view.
2. Run the firewall zone zone-name command to create a security zone.
By default, no security zone is created on the router.
3. Run the priority security-priority command to configure a priority for the security zone.
4. Run the quit command to access the system view.
5. Run the interface interface-type interface-number command to access the interface view.
6. Run the zone zone-name command to add interfaces to the security zone.//Each security zone can contain multiple interfaces, but an interface can be added to one zone only.
Note: The router will automatically create a security zone named Local which has the highest priority. This security zone cannot be deleted or contain any interface, and its priority cannot be modified. To apply the firewall functions to the control packets which are reported to this router, the Local security zone may be used.
For details about the commands for creating a security zone and adding interfaces into the security zone as well as creating an interzone, see the URL:
The AR router creates a security domain and adds the interface to the security zone.

Other related questions:
Assigning an Eth-Trunk interface to a security zone
If the Eth-Trunk interface of the USG is a Layer 3 interface, you need to assign the Eth-Trunk interface to a security zone. [FW]firewall zone untrust [FW-zone-untrust]add interface Eth-Trunk

Assigning a VLANIF interface to a security zone
Perform as follows to assign a VLANIF interface to a security zone on the USG: [FW] vlan 10 [FW-vlan-10] quit [FW] interface Vlanif 10 [FW-Vlanif10] quit [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] portswitch [FW-GigabitEthernet0/0/1] port link-type trunk [FW-GigabitEthernet0/0/1] port trunk permit vlan 10 [FW-GigabitEthernet0/0/1] quit [FW] firewall zone name trust1 [FW-zone-trust1] set priority 10 [FW-zone-trust1] add interface Vlanif 10 [FW-zone-trust1] quit

Assigning interfaces to security zones on the USG6000
Perform as follows to assign interfaces to security zones: 1. Run the firewall zone command to access the corresponding zone. 2. Run the add interface command to add the corresponding interface.

How to check whether the Interface Is Added to the Security Zone ?
Run the display zone command to check whether the interface is correctly added to a security zone. display zone If the interface is not added to any security zone, run the following command to add the interface to a security zone. [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet1/0/1

Definition of the security level of a security zone on the firewall
In a VPN instance, each security zone has a globally unique security priority. That is, two security zones with the same security priority do not exist in a VPN instance. The security level ranges from 1 to 100. A larger value indicates a higher security level. By default, the device has four security zones, and their security levels are as follows: 1. The Untrust zone is a security zone with a low security level, namely, 5. It is usually used to define insecure networks, such as the Internet. 2. The DMZ is a security zone with a medium security level, namely, 50. It is usually used to define the zone where the intranet server resides. Devices of this type are deployed on the intranet but frequently accessed from the extranet, causing large security risks. In addition, they are not allowed to proactively access the extranet. Therefore, they are deployed in a zone whose security level is lower than Trust but higher than Untrust. 3. The Trust zone is a security zone with a relatively high security level, namely, 85. It is usually used to define the zone where the intranet device users reside. 4. The Local zone is the security zone of the highest security level, namely, 100. A local zone is a device itself, including interfaces on the device. All packets constructed on and proactively sent from the device are regarded as from the Local area; those to be responded and processed by the device (including the packets to be detected or directly forwarded) are regarded as to the Local zone. Users cannot change Local zone configurations, for example, adding interfaces to the Local zone. You cannot delete a default security zone or reset its security level. You can also create security zones and define their security levels as required.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top