Setting VPN Segmentation Policies
By default, all the VPN Zones are able to communicate with one another (
).
To change this status, simply click the icon for each VPN Zone pair in the Security matrix.
Note: This matrix is symmetrical, i.e. the segmentation policy between two VPN zones is the same in both directions and needs to be configured only once. For example, the policy is the same for Data Center-Agencies and Agencies-Data Center.
You can also use the Allow Connections to lists to select the appropriate VPN zones.
This configuration implements the following policies (refer to the Use Case diagram):
| • | the appliances that do not belong to any other zone than the Default Zone can communicate with the appliances of the Data Center zone |
| • | the appliances in the Data Center zone can communicate with all the other zones, including appliances of other sites in the Data Center zone |
Warning: some appliances belong to Data Center 1 and Data Center 2 but not to the Data Center zone since they belong to higher priority zones such as Marketing and DC Payment.
| • | the appliances in the Agencies zone can only communicate with appliances in the Data Center zone. They cannot communicate with one another if they are not on the same site |
Warning: some appliances belong to B01 and B02 sites but not to the Agencies zone since they belong to higher priority zones such as Marketing and Agency Payment.
| • | the appliances in the Marketing zone can all communicate with one another, whichever site they are related to |
| • | the appliances in the DC Payment zone can communicate with appliances in the Agency Payment zone |
