Using VRRP with a zone-based firewall
When a physical interface or virtual interface has a VRRP interface defined, all incoming traffic arrives through the VRRP interface. Zone-based firewalls drop all traffic in and out unless explicitly allowed. Therefore, if you are using VRRP interfaces with a zone-based firewall, you must make sure you include the VRRP interfaces in your zone.
To use VRRP interface in a zone you must attach the physical interface on which VRRP is enabled. The configuration is the same as zone configuration on a physical interface, the only difference is that VRRP is running on this interface.
In the example in Applying the rule sets to the zones, the private zone is defined to include the dp0p1p1 and dp0p1p2 interfaces. The following example shows how to add VRRP interfaces for both dp0p1p1 and dp0p1p2. In this example:
- Interface dp0p1p1 is a member of VRRP group 99.
- Interface dp0p1p2 is a member of VRRP group 101.
When you add configuration to a VRRP interface, you do not specify the interface identifier. The system internally constructs the identifier from the name of the parent interface together with the VRRP group ID.
Step | Command |
---|---|
Add one of the interfaces contained in the private zone. |
|
Add the other interface contained in the private zone. |
|
Commit the configuration. |
|
Show the configuration. |
|