Screen OS

Hi,

I think you mean "two interfaces in the same zone".

The default policy for intrazone traffic (eg DMZ-to-DMZ) depends on the setting "Block intra-zone traffic" for the given zone. If this is on the default policy is Deny and access policies should be configured, otherwise the default policy is Enable. But you can configure the access policies also if the default policy is Enable.

I always select "Block intra-zone traffic".

Just verified on 6.2 screen OS. It's selected for Untrust and Trust zone but not selected for DMZ zone.

If I do not select "Block intrazone traffic" and then define the access  rules between DMZ to DMZ, is it going to be effective?

Hi,

Yes, you can seletively deny certain connections, log or nat them. But recommended option is to enable blocking.

If I do not select "Block intrazone traffic" and then define the access  rules between DMZ to DMZ, is it going to be effective?

 The effectiveness of intrazone blocking on the firewall will entirely depend on your layer2 setup for the affected two devices.  In order for the blocking to take effect the firewall must see the connection occur to block the traffic.

If your two devices are in the same vlan and connected to the same switch they will commnicate without any traffic reaching the firewall to be blocked.

But if your two interfaces are feeding two different switches then the traffic from devices on switch A to devices on switch B will need to transit the firewall and the intrazone block will come into effect.

An exception to this is if the two interfaces are configured as a bgroup in screenOS.  The bridge group feature also acts just as a swtich and does not apply the zone rules for intrazone blocking.