I appreciate Firewall Address Objects and Address Groups - they simplify management by letting me give a name to a group of addresses.
But I don't understand what Firewall Zones (LAN, WAN, DMZ, etc.) do for me over Address Groups. I know all firewalls have them, so there must be a good reason. But what do I gain by stating a rule applies to all traffic from LAN Zone to WAN Zone which comes from LAN Address Group to WAN Address Group? Why not just mention the Address Groups?
Firewall zones help document what is happening. The standard groups have standard restrictions. It is much easy to identify the fault in this rule.
Allow port 80 from NET to LAN
It isn't clear when you have this
Allow port 80 from 0.0.0.0/0 to 192.0.2.0/16
Typically zones will be assigned to interfaces or vlans with or without address restrictions. With tight rulesets, machines in the wrong zone may refuse to run correctly.
Each firewall zone corresponds with a specified security requirement. A group of network blocks may correspond with same specified security requirement. A firewall zone may accommodate a group of network blocks or objects. Firewall is network security device, it use zones to separate network.
LAN and WAN are not firewall zone names. Trust and untrust are firewall zone names or network security terms.
Address groups are traditionally sequential IP addresses, say 192.168.0.0./24 but your LAN may comprise of 192.168.0.0/24 and 10.1.1.0/24 and not all firewalls will permit joining these together in a single group
Secondly, the LAN segments are not always defined by IP address, but there are devices that assign designations to physical ports. So everything that is inbound on Port 1 is from the DMZ, and Port 2 is from the LAN, and Port 3 is the Internet (A Snapgear SG530 is the first device I can think of off the top of my head that is configured like this).
