Firewall rule group Zones

Question

Hi, 
 What is the purpose of the source zone and destination zone when create a new firewall rule group? 
 My first thought was that it would serve as a sort of 2-level match, first match the source and destination zones as defined in the group, and if they match scan through the rules inside of it, if not, go to the next group. However, a simple test seems to have failed in this regard. The setup was: 
 New group, source zone = LAN1, destination zone = WAN 
 Inside this group: rule 1: source zone = LAN1, destination zone = WAN, apply web filtering 
 rule 2: source zone = LAN2, destination zone = WAN, apply web filtering 
 Rule under the group: 
 rule 3: source zone = LAN2, destination zone = WAN, no web filtering 
 
 Expected result: traffic from zone LAN2 is not filtered (does not hit Group due to mis-matching zones, so hits rule 3). 
 Actual result: traffic from zone LAN2 was filtered (hit rule 2). 
 
 Thanks! 
 Steven.

Apurv Patel · Accepted Answer

Hi Steven, 
 Thanks for your feedback, Firewall rule group source and destination zone matching criteria basically used when creating a firewall rule and select Rule group as "Automatic". 
 In that case the rule will be assigned to a group based on matching criteria defined as part of the group configuration. 
 
 Traffic should always match Firewall rule criteria,Do not match source and destination zones of Firewall rule Group.