You want to configure a ScreenOS intra-zone policy that implements and logs secure firewall sessions between systems on the same security zone.
Figure 7-4 shows the
Internal_fw gateway and its interfaces in the context of a firewall policy between devices on the same
Trust zone that permits the Orion host to initiate ping and HTTP connections to Gemini but denies all other connections.
Figure 7-4. Intra-zone firewall policy configuration
First, the required address book and service group entries are created:
set address Trust Gemini 192.168.5.10/32Internal_fw->
set group service ping_httpInternal_fw->
set group service ping_http add pingInternal_fw->
set group service ping_http add http
Next, intra-zone blocking is enabled on the
Trust zone, and the intra-zone policy is configured:
set zone Trust blockInternal_fw->
set policy from Trust to Trust Orion Gemini ping_http permit logpolicy id = 20 Internal_fw->
set policy from Trust to Trust Orion Gemini any deny logpolicy id = 21 Internal_fw->
In the solution to this recipe, the two distinct IP interfaces,
ethernet0/1, on the
Internal_fw gateway are in the same
Trust security zone. To enable stateful firewalling between devices on these separate interfaces on the same zone, intra-zone policies are employed.
In its default configuration, ...