We are working on setting up DMZ zones at several of our locations and I'm seeing a discrepancy between show zone security types should be working according to documentation and what I'm actually seeing in practice. I'm hoping someone can help me understand why this is.
The default security type for a DMZ zone appears to be "Public."
According to the documentation here regarding Public zones: By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN.
This not what we're seeing though. In our testing, LAN to DMZ traffic is denied by default (which is how we actually want it, but we also want to understand why).
We've tested by deleting all LAN to DMZ rules and trying to ping, which is unsuccessful. Then, to verify that there is nothing else preventing communication, we set up a single rule allowing all communication from LAN to DMZ and pinging began to work.
The support page makes it sounds like the default, no rule behavior should be for LAN to DMZ to be allowed. Can anybody help me understand why this is not the case in practice?
No comments:
Post a Comment