no, this is not supported. A satellite endpoint can only be a member of one zone. Upon this, the zone trust relationship is built.
Where are the satellites nodes located physically, are these security zones overlapping, or wouldn’t it be more reasonable to have a satellite in each security zone?
Hi,
the routing between the satelilte and DMZ1 and satellite and DMZ2 is like a star. That means, the satellite is responsible for 2 separate zones, no overlapping. But in every zone there are many clients. In zones.d/ there actually 4 zones: DMZ1,SHZ1, IDMZ1 and EDMZ1. Everything is ok. Now The satellite should manage the 4 other zones DMZ2, SHZ2, IDMZ2 and EDMZ2. There should be 8 directories in zones.d/. The configuration is ok. But what about the zones.conf? I think, there is no solution?! The simplest way is to have single sat for every zone. But here i descriped 2 zones with 1 Satellite. In large is it: 24 Zones with 8 satellites. That means, that i need 16 more satellites. My boss kill me
What exactly is needed to gain access to such a security zone? I would imagine that such a satellite has different interfaces for each DMZ routing applied, and can access different host objects then.
Why not ignore the security zones for Icinga zones, and just name the satellite zone after its primary intent, e.g. “satellite-dmz-<locations”. The different host objects belonging to different IP subnets could then be put into hostgroups for example.
On a more serious note, the satellite should be put somewhere where it can access the required hosts and transports. The visual layer can be abstracted with groups and even business process logic on top