Defining VPN Zones
Refer to the Use Case diagram where 6 zones are defined:
|
•
|
Default Zone: this zone contains all the subnets of the private IP address range. This zone is configured by default and cannot be modified. |
|
•
|
Data Center: geographical zone that contains all the subnets of the Data Center site (DataCenter and DataCenter2); these subnets are not included in higher priority zones. |
|
•
|
Agencies: geographical zone that contains all the subnets of the Agency sites (B01, B02); they are not included in higher priority zones. |
|
•
|
Call Center: geographical zone that contains the subnets of the B03 site; they are not included in higher priority zones. |
|
•
|
DC Payment: logical zone that contains sets of subnets that may belong to one or several sites. DC Payment subnets are included in the Data Center zone (DataCenter and DataCenter2). |
|
•
|
Agency Payment: logical zone that contains sets of subnets that may belong to one or several sites. Agency Payment subnets are included in the Agencies zone (B01 and B02). |
|
•
|
Marketing: logical zone that contains sets of subnets that may belong to one or several sites. Marketing subnets are included in both the Agencies zone and DataCenter zone (B01, B02 and DataCenter). |
Note: High priority VPN zones are included in low priority VPN zones.
Warning: for system performance reasons, do not define more than 30 VPN zones. Also favor subnet definition over site hosts selection (/32).
Define the Agencies zone
In the VPN Segmentation panel of the Security window, the Default Zone with its subnets is already displayed. You cannot modify it.
|
1
|
Click the Add VPN Zone button. |
|
2
|
Type 'Agencies' as the Name of the zone. |
|
3
|
Enter a low Priority (5) for this zone because it is clearly identified with no subnet overlap. 1 corresponds to the highest priority, 6 is the lowest priority value. |
|
4
|
From the Sites list which includes all the Sites you have configured, select B01 and B02 Sites. |
Note that you can find a specific Site through the Search fields.
You do not need to specify Subnets since identification was done via Site Names.
|
5
|
Click Save Changes to validate. |
|
6
|
Use the View All function to display the VPN Segmentation matrix and continue adding VPN Zones. |
Define the Call Center zone
|
1
|
Click the Add VPN Zone button. |
|
2
|
Type 'Call Center' as the Name of the zone. |
|
3
|
Enter a low Priority (6) for this zone because it is clearly identified with no subnet overlap. 1 corresponds to the highest priority, 6 is the lowest priority value. |
|
4
|
From the Sites list which includes all the Sites you have configured, select the B03 Site. |
|
5
|
Click Save Changes to validate. |
Define the Data Center Zone
|
1
|
Click the Add VPN Zone button. |
|
2
|
Type 'Data Center' as the Name of the zone. |
|
3
|
Enter a low Priority (4) for this zone because it is clearly identified with no subnet overlap. |
|
4
|
DataCenter and DataCenter2 are two appliances on the same Site named DataCenter. From the Sites list which includes all the Sites you have configured, select the DataCenter Site. |
|
5
|
Click Save Changes to validate. |
Define the DC Payment zone
|
1
|
Click the Add VPN Zone button. |
|
2
|
Type 'DC Payment' as the Name of the zone. |
|
3
|
Enter a high Priority value (2) for this zone because of the acuteness of its subnet definition. |
|
4
|
Use the Subnets panel to identify DC Payment two subnets: 10.1.4.128/26 and 10.2.4.128/26. |
|
5
|
Click Save Changes to validate. |
Define the Agency Payment zone
|
1
|
Click the Add VPN Zone button. |
|
2
|
Type 'Agency Payment' as the Name of the zone. |
|
3
|
Enter a high Priority value (1) for this zone because of the acuteness of its subnet definition. |
|
4
|
Use the Subnets panel to identify Agency Payment two subnets: 10.1.1.128/26 and 10.1.2.128/26. |
|
5
|
Click Save Changes to validate. |
Define the Marketing zone
|
1
|
Click the Add VPN Zone button. |
|
2
|
Type 'Marketing' as the Name of the zone. |
|
3
|
Enter an average Priority value (3) for this zone. |
|
4
|
Use the Subnets panel to identify the Marketing zone three subnets: 10.1.1.64/26, 10.1.2.64/26 and 10.1.4.64/26. |
|
5
|
Click Save Changes to validate. |
Modifying or deleting a VPN Zone
In the VPN Segmentation window:
|
•
|
Click any VPN Zone row to edit its configuration. Modify any values and click Save Changes. |
|
•
|
Click  if you want to delete a VPN zone. The system asks you to click the icon a second time to confirm your action. |
After you have defined your VPN zones, you must apply VPN Segmentation Policies to these zones.