Screen OS

Hi people,

Just to make sure;

If i set up an interface with 10 Sub-IF's (SSG350m), vlan 1 to 20 and these vlans will be all in the same security zone, will a server from vlan 5 be able to connect to a server in vlan 8?

If yes, how can i keep them seperated properly?

Regards,

J.

I already found something, can someone acknowlege the following:

Block Intra-Zone Traffic: (For L3 zones only) Select this check box if you want to block the flow of traffic between interfaces in the same zone. Clear this check box to permit traffic between interfaces in the same zone.

So,

If i set up two SubIF's on the same interface with the same security zone (vlan 10 and 20) and i check the setting above, servers in VLAN 10 could not connect with servers in VLAN 20, is that right?

Hi,

You will make a global policy to drop all traffic and then you just do policies inside that specific zone how you want.

This will work for sure.

Then there's also option called "block intrazone traffic" to block traffic between hosts in same security-zone. I am not

sure if this will work since I recall testing it and it made no difference in my case but I cant remember for sure if I had

the global policy to drop traffic or not. If you are building new environment you might want to test this if you dont want

your global policy to be drop.

(For L3 zones only) Select this check box if you want to block the flow of traffic between interfaces in the same zone. Clear this check box to permit traffic between interfaces in the same zone.

Where did you find that above information? I remember searching it myself aswell without success. But I did that test I said earlier using subinterfaces. Not different physical interfaces in the same zone..

In your scenario with the desire being to block connections between vlans the intra zone blocking will likely work.  The scenario where this function does not work as desired is when the intra zone traffic will not reach the firewall to process. 

Basically the firewall can only block or allow traffic that it actually sees.

Broadcast domain

If the desired blocks are in the same vlan and broadcast domain and they are on switches that have a layer 2 path to each other then the connection will establish without ever reaching the firewall for the block to take effect.

Other L3 interfaces

If you multiple vlans are setup on layer3 capable switches that have routing enabled on the switch without access controls then again the traffic can be routed without reaching the firewall for rule enforcement.

Thanks for the info people.

@ Terosa:

I found the info on the Help page when viewing the zone options. You respond with "

You will make a global policy to drop all traffic and then you just do policies inside that specific zone how you want.

This will work for sure.". Do you mean i need to create a policy to drop traffic from 192.168.1.0/24 to 192.168.2.0 in the same zone? Will this also drop broadcast traffic?

@Spuluka, you respond with "In your scenario with the desire being to block connections between vlans the intra zone blocking will likely work. Is there anyone who can ackknowledge what spuluka said? Is this option also working on Sub Interfaces instead of normal interfaces?

Regards,

J

Sorry for the confusion.

By "likely work" I mean with the caveats I note above.  Intra zone blocking will work only if all the packets between the two vlans are routed through the firewall.  Your network design has to be such that there is no path of connection on the switchling layer so that the only way for the connection to occur is by going to the firewall rule set.

From your description this seems like it is the case but I can't be certain so I use the work "likely".

Yes, intra zone blocking works with sub-interfaces too.

Thanks spuluka,

The way i want to set it up is as followed:

ethernet1/3.10-vlan10 - 192.168.1.1/24 (let's call this Network A)

ethernet1/3.10-vlan11 - 192.168.1.2/24 (let's call this Network B)

I want to create two vswitches in ESX, one with vlan ID 10 and one with vlan ID 11. All servers using the vswitch for Network A will only be able to see eachother and will need to use the gateway (the SSG) to get to the internet. Same goes up for Network B.

This way they shouldn't be able to see eachother, mainly because traffic between vswitches shouldn't be possible.

Are those subnets correct?  They are on the same network.  Perhaps you mean

vlan10 192.168.1.1/24

vlan11 192.168.2.1/24

Overlapping subnets would be a different case that would be tricky. 

But if they are different subnets in two vlans with the default gateway of the firewall you have no problem using intra zone blocking and rule sets to allow specific traffic this way.

Oops, you're right.

I mean two different subnets, 192.168.1.0/24 and 192.168.2.0/24

The idea is to put two networks in different vSwitch (VMWare) using different vlan tags and each use their own gateway (the SSG SubIF) to reach 'other networks'.

spuluka;

The traffic will meet eachother on the trunk ports of one of my fysical switches but because of the different vlan tags they shouldn't be able to see eachother right? As far as i see it all traffic other than the local subnet will be routed trough their own SubIF.

Your configuation will work. 

Yes, trunk ports are fine and the traffic does not cross vlan id in that connection.

Thank you for the information spuluka, much appriciated!

Regards,

Joris