HPE D6020 Maintenance And Service Manual page 284

Usage guidelines
A zone pair has a source security zone and a destination security zone. The device examines
received first data packets and uses zone pairs to identify data flows.
A zone pair defined by using the zone-pair security source any destination any command
matches all packets from one security zone to another security zone.
After you apply security policies to zone pairs, the device processes data flows based on security
policies.
•
If a packet matches a zone pair between specific security zones, the device processes the
packet by using the security policies applied to the zone pair.
•
If a packet does not match any zone pair between specific security zones, the device identifies
whether a zone pair is defined by using the zone-pair security source any destination any
command.
If the zone pair is defined, the device processes the packet by using the security policies

applied to the zone pair.
If the zone pair is not defined, the device discards the packet.

Security policies include packet filtering policies, ASPF policies, and object policies. For more
information about packet filtering policies, see ACL and QoS Configuration Guide. For more
information about ASPF and object policies, see Security Configuration Guide.
Deleting a zone pair deletes all object policy applications on the zone pair.
Examples
# Create a zone pair with the source security zone Trust and destination zone Untrust.
<Sysname> system-view
[Sysname] zone-pair security source trust destination untrust
[Sysname-zone-pair-security-Trust-Untrust]
Related commands
display zone-pair security
276